From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 19 Apr 2017 15:44:58 +0200 Subject: [refpolicy] [PATCH] second strict patch In-Reply-To: <201704192334.17614.russell@coker.com.au> References: <20170419110059.edrv6goiv2xwrnvk@athena.coker.com.au> <1B3399CF-E91A-47A3-8C02-80FCAD532262@trentalancia.net> <201704192334.17614.russell@coker.com.au> Message-ID: <1492609498.4994.17.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. I do not agree with you... I have removed the unconfined permissions from several modules and, most importantly, I am not using most of the modules that you quoted (you have probably not considered the latter). Therefore, I am using a simple and essential system and the systemd permissions are heavy. I use sysvinit because it is essential and gets away with the minimum permissions: it does it job well, it complies to standards and interchangeability and even more importantly it sticks to that, without interfering with other tasks that are not required to an init daemon. I do not understand the reason why everyone should be forced to adopt such permissions when there is an appropriate ifdef statement called "init_systemd" ! I really hope the patch will be changed to make use of the appropriate ifdef statements. Regards, Guido On Wed, 19/04/2017 at 23.34 +1000, Russell Coker wrote: > On Wed, 19 Apr 2017 09:51:14 PM Guido Trentalancia via refpolicy > wrote: > > I believe it is very important to move *all* permission required by > systemd > > within the appropriate ifdef block (init_systemd). > >? > > Not everybody is using systemd and many people believe it is, > amongst other > > things, a waste of resources and SELinux permissions. > > Are you running without unconfined.pp?? If not then the below is a > list of the? > waste of SE Linux permissions which vastly exceeds what might be > added for? > systemd. > > policy/modules/admin/usermanage.te:???????????? > unconfined_domain(useradd_t) > policy/modules/admin/bootloader.te:???????????? > unconfined_domain(bootloader_t) > policy/modules/contrib/ada.te:? unconfined_domain(ada_t) > policy/modules/contrib/livecd.te:?????? > unconfined_domain_noaudit(livecd_t) > policy/modules/contrib/mono.te: unconfined_domain(mono_t) > policy/modules/contrib/wine.te: unconfined_domain(wine_t) > policy/modules/contrib/puppet.te:?????? unconfined_domain(puppet_t) > policy/modules/contrib/sendmail.te:???? > unconfined_domain(unconfined_sendmail_t) > policy/modules/contrib/samba.te:???????? > unconfined_domain(samba_unconfined_script_t) > policy/modules/contrib/inetd.te:??????????????? > unconfined_domain(inetd_t) > policy/modules/contrib/inetd.te:??????? > unconfined_domain(inetd_child_t) > policy/modules/contrib/anaconda.te:???? > unconfined_domain_noaudit(anaconda_t) > policy/modules/contrib/firstboot.te:??? > unconfined_domain(firstboot_t) > policy/modules/contrib/nagios.te:??????? > unconfined_domain(nagios_unconfined_plugin_t) > policy/modules/contrib/prelink.te:????? unconfined_domain(prelink_t) > policy/modules/contrib/qemu.te: unconfined_domain(unconfined_qemu_t) > policy/modules/contrib/apache.te:??????? > unconfined_domain(httpd_unconfined_script_t) > policy/modules/contrib/apt.te:? unconfined_domain(apt_t) > policy/modules/contrib/cron.te: > unconfined_domain(unconfined_cronjob_t) > policy/modules/contrib/java.te: > unconfined_domain_noaudit(unconfined_java_t) > policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_t) > policy/modules/contrib/dpkg.te: unconfined_domain(dpkg_script_t) > policy/modules/contrib/munin.te:???????? > unconfined_domain(unconfined_munin_plugin_t) > policy/modules/kernel/kernel.te:??????? > unconfined_domain_noaudit(kernel_t) > policy/modules/services/xserver.te:???? unconfined_domain(xdm_t) > policy/modules/services/xserver.te:???? > unconfined_domain_noaudit(xserver_t) > policy/modules/system/authlogin.te:???????????? > unconfined_domain(chkpwd_t) > policy/modules/system/authlogin.te:???????????? > unconfined_domain(pam_t) > policy/modules/system/authlogin.te:????????????? > unconfined_domain(pam_console_t) > policy/modules/system/authlogin.te:???????????? > unconfined_domain(updpwd_t) > policy/modules/system/authlogin.te:???????????? > unconfined_domain(utempter_t) > policy/modules/system/getty.te:???????? unconfined_domain(getty_t) > policy/modules/system/libraries.te:???????????? > unconfined_domain(ldconfig_t) > policy/modules/system/libraries.te:???? unconfined_domain(ldconfig_t) > policy/modules/system/locallogin.te:???????????? > unconfined_domain(local_login_t) > policy/modules/system/sysnetwork.te:??????????? > unconfined_domain(dhcpc_t) > policy/modules/system/sysnetwork.te:??????????? > unconfined_domain(ifconfig_t) > policy/modules/system/unconfined.if:interface(`unconfined_domain_noau > dit',` > policy/modules/system/unconfined.if:interface(`unconfined_domain',` > policy/modules/system/unconfined.if:??? unconfined_domain_noaudit($1) > policy/modules/system/init.te:? unconfined_domain(init_t) > policy/modules/system/init.te:? unconfined_domain(initrc_t) > policy/modules/system/logging.te:?????????????? > unconfined_domain(auditd_t) > policy/modules/system/logging.te:?????????????? > unconfined_domain(klogd_t) > policy/modules/system/logging.te:?????????????? > unconfined_domain(syslogd_t) > policy/modules/system/fstools.te:?????????????? > unconfined_domain(fsadm_t) > policy/modules/system/lvm.te:?????????? unconfined_domain(clvmd_t) > policy/modules/system/lvm.te:?????????? unconfined_domain(lvm_t) > policy/modules/system/mount.te:???????? unconfined_domain(mount_t) > policy/modules/system/mount.te: unconfined_domain(unconfined_mount_t) > policy/modules/system/selinuxutil.te:??????????? > unconfined_domain(checkpolicy_t) > policy/modules/system/selinuxutil.te:??????????? > unconfined_domain(load_policy_t) > policy/modules/system/selinuxutil.te:?????????? > unconfined_domain(newrole_t) > policy/modules/system/selinuxutil.te:??????????? > unconfined_domain(restorecond_t) > policy/modules/system/selinuxutil.te:?????????? > unconfined_domain(run_init_t) > policy/modules/system/selinuxutil.te:?????????? > unconfined_domain(semanage_t) > policy/modules/system/selinuxutil.te:?????????? > unconfined_domain(setfiles_t) > policy/modules/system/udev.te:????????? unconfined_domain(udev_t) > policy/modules/system/unconfined.te:unconfined_domain(unconfined_t) > policy/modules/system/unconfined.te:unconfined_domain_noaudit(unconfi > ned_execmem_t) > > > Thanks, > >? > > Guido > >? > > On the 19th of April 2017 13:00:59 CEST, Russell Coker via > refpolicy? > wrote: > > >This is the rest of my policy that was developed on "strict" > systems. > > >It also > > >has no inter-dependencies with other patches.? I included the > interface > > >xdm_sigchld() in this patch as well so it can be applied on it's > own, > > >this > > >means that it conflicts with the login patch. > > > > > >Chris, maybe even if you don't apply this patch or the login patch > in > > >the > > >near future you could add the xdm_sigchld() interface so that both > > >patches > > >can be complete and working and not conflict. > > > > > >Index: refpolicy-2.20170419/policy/modules/contrib/gnome.if > >? > --? > My Main Blog???????? http://etbe.coker.com.au/ > My Documents Blog??? http://doc.coker.com.au/