From mboxrd@z Thu Jan 1 00:00:00 1970 From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 21 Dec 2016 21:27:14 +0100 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> Message-ID: <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. The initramfs is just a gzipped cpio archive, which therefore hasn't extended attributes... Dracut is kernel.org official and widely used. I am neutral about making it tuneable, but since you proposed it, I'll offer my help to change the patch... Do you fancy the name "boot_initramfs" for the boolean that you suggested di ? Please let me know and I'll prepare a new version of this patch. Regards, Guido On the 21st December 2016 20:25:04 CET, Chris PeBenito wrote: >On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote: >> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy >> wrote: >> >> [...] >> >>>>> This patch adds missing permissions in the kernel module that >>>>> prevent >>>>> to run it without the unconfined module. >>>> >>>> I will need more clarification on these rules, especially all the >>>> new >>>> root_t access. The only thing that should normally be root_t is /. >> >> [...] >> >>> As you can see, it is trying to execute a /bin/umount executable >file >>> that is labeled root_t (this is before switching to the new root, so >>> it's in the initramfs). >>> >>> This is from the following two dracut initramfs modules: >>> >>> 98selinux/selinux-loadpolicy.sh >>> 99base/init.sh >>> >>> Eventually, no relabeling is done by dracut after loading the >policy. >> >> I don't know if it makes sense, but it is a bit like the chicken or >egg >> problem ! >> >> Even if you relabel from initramfs after loading the policy, you >still >> have to execute setfiles as root_t ! So, it doesn't make much sense >to >> relabel (and enlarge the initramfs) just for executing umount and a >few >> other core utilities. > >It's too bad dracut seems to generate sloppy initramfs. It is a lot of > >unnecessary access to force on anyone that doesn't use dracut. I'm >tempted to make it tunable.