[refpolicy] modules_object_t vs. modules_dep_t labeling

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] modules_object_t vs. modules_dep_t labeling
Date: Tue, 6 Oct 2015 20:13:59 +0200	[thread overview]
Message-ID: <20151006181357.GD27034@x250> (raw)
In-Reply-To: <20151005124856.GA21879@x250>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Oct 05, 2015 at 02:48:56PM +0200, Dominick Grift wrote:
> On Thu, Oct 01, 2015 at 11:58:25AM +0200, Miroslav Grepl wrote:
> > We have more and more bugs with mislabeled /lib/modules/*/modules.dep*
> > files. There is a default label for them - modules_dep_t but we get them
> > labeled as modules_object_t. Yes, we can add filename transition rules
> > and also find a reason why they get wrong labeling (in progress).
> > 
> > But is there a big advantage to have these two labels. At least I don't
> > see it from the policy point of view (sesearch).
> > 
> > Thank you.
> > 
> 

I think i kind of figured it out So i have the following name-based type
transitions:

    (macro modules_obj_type_transition_modules_dep ((type ARG1))
                                                   (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.alias"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.alias.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.alias.bin"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.alias.bin.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.block"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.builtin"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.builtin.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.builtin.bin"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.builtin.bin.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.dep"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.dep.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.dep.bin"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.dep.bin.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.devname"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.devname.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.drm"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.modesetting"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.networking"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.order"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.softdep"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.softdep.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.symbols"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.symbols.tmp"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file
                                                   "modules.symbols.bin"))
                                                        (call
                                                   modules.obj_type_transition
                                                   (ARG1 file file "modules.symbols.bin.tmp"))))

both kmod.subj (your insmod_t) as well as rpm_script_t call it

then i have the corresponding fc specs (note the .tmp's):

(in modules_dep
    (filecon "/usr/lib/modules/[^/]+/modules\.alias" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.alias\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.alias\.bin" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.alias\.bin\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.block" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.builtin" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.builtin\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.builtin\.bin" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.builtin\.bin\.tmp"
    file file_file_context)
         (filecon "/usr/lib/modules/[^/]+/modules\.dep" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.dep\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.dep\.bin" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.dep\.bin\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.devname" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.devname\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.drm" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.modesetting" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.networking" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.order" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.softdep" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.softdep\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.symbols" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.symbols\.tmp" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.symbols\.bin" file
    file_file_context)
        (filecon "/usr/lib/modules/[^/]+/modules\.symbols\.bin\.tmp"
    file file_file_context))

This, in my case, pretty much takes care of consistent labeling

Theres is an issue though that the kernel-install script uses cp -a to
copy stuff from /usr/lib/modules to /boot , so some stuff ends up with
the modules label in /boot ...

ps. sorry for the layout emacs seems to think this is right

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCgAGBQJWFA9hAAoJENAR6kfG5xmcoNQMAJ7opmSNzKa2NI39a3q+TxAE
xgKswRtSWt7yVhFeAxii60uBcYkxmlBJydZl7GyooEQBKwa2WSGDdZbwxxcBihjz
FfLT07hCnBHIl62+tsfORu5+BUWpn0ruF3iai88QIslYfEuU5aiAG93z0wh0xpzM
9+gHsn2BIUqfMSelIJiQCmM2u0oNfqPjFug7e3eZgMvsK9wloEWjoj9BAFKOQSSj
8Esrzfn3dmwPS7F1KQVnu8Bu8MCJBvzXf1Zg4DHQviSsWw/o/x2NfxC78ZbhQNyc
330YRgsScWUeBrHVEuVM8VIoynzVx8uSCgEj+k01Q+dzhj33aD5pQdu0CerU7CQl
yFzYUnLsZPXdkM70qOBtdEHHLayby79krAjRQPyB3QdJWvxMMMccJp4GeMZ1j46S
2gP3k7iGLl8h8Q8JabmodU5Ne1OHlye20EAmhB7HFtrceHatjio9rNFwVCNQVo3m
hhjB684f2c8sqwN6U8WH/joiHP9NcwroF9/6SD8qng==
=rSzK
-----END PGP SIGNATURE-----