From: russell@coker.com.au (Russell Coker) Date: Wed, 19 Apr 2017 23:34:17 +1000 Subject: [refpolicy] [PATCH] second strict patch In-Reply-To: <1B3399CF-E91A-47A3-8C02-80FCAD532262@trentalancia.net> References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> <1B3399CF-E91A-47A3-8C02-80FCAD532262@trentalancia.net> Message-ID: <201704192334.17614.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 19 Apr 2017 09:51:14 PM Guido Trentalancia via refpolicy wrote: > I believe it is very important to move *all* permission required by systemd > within the appropriate ifdef block (init_systemd). > > Not everybody is using systemd and many people believe it is, amongst other > things, a waste of resources and SELinux permissions. Are you running without unconfined.pp? If not then the below is a list of the waste of SE Linux permissions which vastly exceeds what might be added for systemd. policy/modules/admin/usermanage.te: unconfined_domain(useradd_t) policy/modules/admin/bootloader.te: unconfined_domain(bootloader_t) policy/modules/contrib/ada.te: unconfined_domain(ada_t) policy/modules/contrib/livecd.te: unconfined_domain_noaudit(livecd_t) policy/modules/contrib/mono.te: unconfined_domain(mono_t) policy/modules/contrib/wine.te: unconfined_domain(wine_t) policy/modules/contrib/puppet.te: unconfined_domain(puppet_t) policy/modules/contrib/sendmail.te: unconfined_domain(unconfined_sendmail_t) policy/modules/contrib/samba.te: unconfined_domain(samba_unconfined_script_t) policy/modules/contrib/inetd.te: unconfined_domain(inetd_t) policy/modules/contrib/inetd.te: unconfined_domain(inetd_child_t) policy/modules/contrib/anaconda.te: unconfined_domain_noaudit(anaconda_t) policy/modules/contrib/firstboot.te: unconfined_domain(firstboot_t) policy/modules/contrib/nagios.te: unconfined_domain(nagios_unconfined_plugin_t) policy/modules/contrib/prelink.te: unconfined_domain(prelink_t) policy/modules/contrib/qemu.te: unconfined_domain(unconfined_qemu_t) policy/modules/contrib/apache.te: unconfined_domain(httpd_unconfined_script_t) policy/modules/contrib/apt.te: unconfined_domain(apt_t) policy/modules/contrib/cron.te: unconfined_domain(unconfined_cronjob_t) policy/modules/contrib/java.te: unconfined_domain_noaudit(unconfined_java_t) policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_t) policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_script_t) policy/modules/contrib/munin.te: unconfined_domain(unconfined_munin_plugin_t) policy/modules/kernel/kernel.te: unconfined_domain_noaudit(kernel_t) policy/modules/services/xserver.te: unconfined_domain(xdm_t) policy/modules/services/xserver.te: unconfined_domain_noaudit(xserver_t) policy/modules/system/authlogin.te: unconfined_domain(chkpwd_t) policy/modules/system/authlogin.te: unconfined_domain(pam_t) policy/modules/system/authlogin.te: unconfined_domain(pam_console_t) policy/modules/system/authlogin.te: unconfined_domain(updpwd_t) policy/modules/system/authlogin.te: unconfined_domain(utempter_t) policy/modules/system/getty.te: unconfined_domain(getty_t) policy/modules/system/libraries.te: unconfined_domain(ldconfig_t) policy/modules/system/libraries.te: unconfined_domain(ldconfig_t) policy/modules/system/locallogin.te: unconfined_domain(local_login_t) policy/modules/system/sysnetwork.te: unconfined_domain(dhcpc_t) policy/modules/system/sysnetwork.te: unconfined_domain(ifconfig_t) policy/modules/system/unconfined.if:interface(`unconfined_domain_noaudit',` policy/modules/system/unconfined.if:interface(`unconfined_domain',` policy/modules/system/unconfined.if: unconfined_domain_noaudit($1) policy/modules/system/init.te: unconfined_domain(init_t) policy/modules/system/init.te: unconfined_domain(initrc_t) policy/modules/system/logging.te: unconfined_domain(auditd_t) policy/modules/system/logging.te: unconfined_domain(klogd_t) policy/modules/system/logging.te: unconfined_domain(syslogd_t) policy/modules/system/fstools.te: unconfined_domain(fsadm_t) policy/modules/system/lvm.te: unconfined_domain(clvmd_t) policy/modules/system/lvm.te: unconfined_domain(lvm_t) policy/modules/system/mount.te: unconfined_domain(mount_t) policy/modules/system/mount.te: unconfined_domain(unconfined_mount_t) policy/modules/system/selinuxutil.te: unconfined_domain(checkpolicy_t) policy/modules/system/selinuxutil.te: unconfined_domain(load_policy_t) policy/modules/system/selinuxutil.te: unconfined_domain(newrole_t) policy/modules/system/selinuxutil.te: unconfined_domain(restorecond_t) policy/modules/system/selinuxutil.te: unconfined_domain(run_init_t) policy/modules/system/selinuxutil.te: unconfined_domain(semanage_t) policy/modules/system/selinuxutil.te: unconfined_domain(setfiles_t) policy/modules/system/udev.te: unconfined_domain(udev_t) policy/modules/system/unconfined.te:unconfined_domain(unconfined_t) policy/modules/system/unconfined.te:unconfined_domain_noaudit(unconfined_execmem_t) > Thanks, > > Guido > > On the 19th of April 2017 13:00:59 CEST, Russell Coker via refpolicy wrote: > >This is the rest of my policy that was developed on "strict" systems. > >It also > >has no inter-dependencies with other patches. I included the interface > >xdm_sigchld() in this patch as well so it can be applied on it's own, > >this > >means that it conflicts with the login patch. > > > >Chris, maybe even if you don't apply this patch or the login patch in > >the > >near future you could add the xdm_sigchld() interface so that both > >patches > >can be complete and working and not conflict. > > > >Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if > -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/