2008-08-29 03:54:50

by kindloaf

[permalink] [raw]
Subject: [refpolicy] Parsing Binary Ref Policy

I am trying to parse the refpolicy under ubuntu 8.04. I used
/etc/selinux/refplicy/policy/policy.22. The size of the binary policy is
about 360K(accurate size is 360296).

Then I use "dispol" tool in checkpolicy to parse the policy. However I feel
that the parsing result is not correct. There are many domains missing in
the parse result. There is no htttpd domain, no ftpd domain...

And the access vector really confuses me. For example, I think the domain
insmod_t should be entered through insmod, rmmod, ... But from the policy,
domain insmod_t has the entrypoint privilege over a lot of types:
hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there are more than 300
of them).

Did I do anything wrong? And if I am getting the correct binary policy, why
the entrypoint privilege is configure this way?

Thanks.

Hong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080828/4ebdb27b/attachment.html


2008-08-29 12:12:12

by cpebenito

[permalink] [raw]
Subject: [refpolicy] Parsing Binary Ref Policy

On Thu, 2008-08-28 at 23:54 -0400, Hong wrote:
> I am trying to parse the refpolicy under ubuntu 8.04. I
> used /etc/selinux/refplicy/policy/policy.22. The size of the binary
> policy is about 360K(accurate size is 360296).
>
> Then I use "dispol" tool in checkpolicy to parse the policy. However
> I feel that the parsing result is not correct. There are many
> domains missing in the parse result. There is no htttpd domain, no
> ftpd domain...
>
> And the access vector really confuses me. For example, I think the
> domain insmod_t should be entered through insmod, rmmod, ... But from
> the policy, domain insmod_t has the entrypoint privilege over a lot
> of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there
> are more than 300 of them).
>
> Did I do anything wrong? And if I am getting the correct binary
> policy, why the entrypoint privilege is configure this way?

The insmod_t domain has the entrypoint permission on all files because
it is unconfined in the ubuntu policy.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2008-08-29 20:53:53

by kindloaf

[permalink] [raw]
Subject: [refpolicy] Parsing Binary Ref Policy

Thanks for you explanation.

Now I am trying to compile the current refpolicy (use "apt-get source
refpolicy" to get the policy source).
After "make policy", "make load", "make restorelabels", I restarted the
machine.

Now ubuntu doesn't boot. Following is the screenshot:
=8<=========================================
Starting up ...
Loading, please wait...
[ 14.623245] sd 0:0:0:0: [sda] Assuming drive cache: write through
[ 14.623882] sd 0:0:0:0: [sda] Assuming drive cache: write through
kinit: name_to_dev_t(/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63def)
= s
da5(8,5)
kinit: trying to resume from
/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63
def
kinit: No resume image, doing normal boot...
exec: 7: /etc/init.d/rcS: Permission denied
init: rcS main process (2326) terminated with status 2
init: rc-default main process (2328) terminated with status 1
=8<=========================================

I used ubuntu live CD and found nothing in /var/log/message. (there is no
single entry since last boot) And if I disable SELinux by turning off the
kernel option, it can boot.
Is there any clue how to solve this problem?


Hong

On Fri, Aug 29, 2008 at 8:12 AM, Christopher J. PeBenito <
[email protected]> wrote:

> On Thu, 2008-08-28 at 23:54 -0400, Hong wrote:
> > I am trying to parse the refpolicy under ubuntu 8.04. I
> > used /etc/selinux/refplicy/policy/policy.22. The size of the binary
> > policy is about 360K(accurate size is 360296).
> >
> > Then I use "dispol" tool in checkpolicy to parse the policy. However
> > I feel that the parsing result is not correct. There are many
> > domains missing in the parse result. There is no htttpd domain, no
> > ftpd domain...
> >
> > And the access vector really confuses me. For example, I think the
> > domain insmod_t should be entered through insmod, rmmod, ... But from
> > the policy, domain insmod_t has the entrypoint privilege over a lot
> > of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there
> > are more than 300 of them).
> >
> > Did I do anything wrong? And if I am getting the correct binary
> > policy, why the entrypoint privilege is configure this way?
>
> The insmod_t domain has the entrypoint permission on all files because
> it is unconfined in the ubuntu policy.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080829/79e2b1e8/attachment.html

2008-08-30 20:44:24

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] Parsing Binary Ref Policy

On Fri, 2008-08-29 at 16:53 -0400, Hong wrote:
> Now I am trying to compile the current refpolicy (use "apt-get source
> refpolicy" to get the policy source).
> After "make policy", "make load", "make restorelabels", I restarted
> the machine.
>
> Now ubuntu doesn't boot. Following is the screenshot:
> =8<=========================================
> Starting up ...
> Loading, please wait...
> [ 14.623245] sd 0:0:0:0: [sda] Assuming drive cache: write through
> [ 14.623882] sd 0:0:0:0: [sda] Assuming drive cache: write through
> kinit:
> name_to_dev_t(/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63def)
> = s
> da5(8,5)
> kinit: trying to resume
> from /dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63
> def
> kinit: No resume image, doing normal boot...
> exec: 7: /etc/init.d/rcS: Permission denied
> init: rcS main process (2326) terminated with status 2
> init: rc-default main process (2328) terminated with status 1
> =8<=========================================
>
> I used ubuntu live CD and found nothing in /var/log/message. (there
> is no single entry since last boot) And if I disable SELinux by
> turning off the kernel option, it can boot.
> Is there any clue how to solve this problem?

My guess would be that you did not enable the tunable for using upstart.
You can either set this in the booleans.conf when you are building the
policy or by using `setsebool -P init_upstart 1`.

--
Chris PeBenito
<[email protected]>
Developer,
Hardened Gentoo Linux

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080830/879dc5f2/attachment.bin