From: lvrabec@redhat.com (Lukas Vrabec) Date: Thu, 19 Jul 2018 19:54:22 +0200 Subject: [refpolicy] map permission in can_exec() but not in domain_transition_pattern() In-Reply-To: <20180719174713.GC26209@julius.enp8s0.d30> References: <11ce07ad-6001-f686-29be-202c9062730e@redhat.com> <20180719164025.GA26209@julius.enp8s0.d30> <20180719165139.GB26209@julius.enp8s0.d30> <04962941-3775-f83e-fdc8-4dc30354d345@redhat.com> <20180719174713.GC26209@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/19/2018 07:47 PM, Dominick Grift wrote: > On Thu, Jul 19, 2018 at 07:42:53PM +0200, Lukas Vrabec via refpolicy wrote: >> On 07/19/2018 06:51 PM, Dominick Grift via refpolicy wrote: >>> On Thu, Jul 19, 2018 at 06:40:25PM +0200, Dominick Grift wrote: >>>> On Thu, Jul 19, 2018 at 06:17:46PM +0200, Lukas Vrabec via refpolicy wrote: >>>>> Hi All, >>>>> >>>>> I found one thing in refpolicy which I don't completely understand. >>>>> >>>>> In "policy/support/misc_patterns.spt" there is definition of >>>>> "domain_transition_pattern" and this contains line: >>>>> allow $1 $2:file { getattr open read execute }; >>>>> >>>>> There is missing map permission. >>>>> >>>>> However in "policy/support/misc_macros.spt" there is definition of >>>>> "can_exec" and it contains allow rule: >>>>> define(`can_exec',`allow $1 $2:file { mmap_exec_file_perms ioctl lock >>>>> execute_no_trans };') >>> >>> Sorry can_exec() should just use exec_file_perms which would should be mmap_exec_file_perms + execute_no_trans IMHO >>> >>>> >>>> This should just use mmap_exec_file_perms >>>> >> >> Should we remove lock permission? > > I would say yes, but i am not sure why it was added in the first place > It could be dangerous to remove it in such general macro. Let's test it before. >> >>>>> >>>>> There is a mmap_exec_file_perms which contains: >>>>> define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }') >>>>> >>>>> Map is present in can_exec(). >>>>> >>>>> So for domain transitions we don't allow map permission from calling >>>>> domain on binary type but in can_exec macro there is map permission. >>>>> >>>>> I think this is a bug and in "domain_transition_pattern" there should be >>>>> this line: >>>>> allow $1 $2:file { getattr open read execute map }; >>>> >>>> This should just use mmap_exec_file_perms as well >>>> >>>>> >>>>> instead of: >>>>> allow $1 $2:file { getattr open read execute }; >>>>> >>>>> Am I right or missing something? >>>>> >>>>> Thanks for help! >>>>> Lukas. >>>> >>>> permission sets provide a single point of failure and should used as much as possible >>>> >>>> These were overlooked and because of this we now have a good example what the purpose of permission sets and patterns is. >>>> >> >> Thanks, I'll prepare patch. >> >> Lukas. >> >>>>> >>>>> -- >>>>> Lukas Vrabec >>>>> Software Engineer, Security Technologies >>>>> Red Hat, Inc. >>>>> >>>> >>>> >>>> >>>> >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>> >>> >>> >>> >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> >> >> -- >> Lukas Vrabec >> Software Engineer, Security Technologies >> Red Hat, Inc. >> > > > > >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > _______________________________________________ > Selinux mailing list > Selinux at tycho.nsa.gov > To unsubscribe, send email to Selinux-leave at tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request at tycho.nsa.gov. > -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20180719/a5f68c2b/attachment.bin