[refpolicy] [PATCH] kernel: missing permissions for confined execution

[rfkrocktk@gmail.com (Naftuli Kay)]

IIRC Fedora at least has a SystemD unit which runs very early in the
boot to relabel the filesystem.
Thanks,
 - Naftuli Kay


On Wed, Dec 21, 2016 at 11:25 AM, Chris PeBenito via refpolicy
<refpolicy@oss.tresys.com> wrote:
> On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>
>> [...]
>>
>>>>> This patch adds missing permissions in the kernel module that
>>>>> prevent
>>>>> to run it without the unconfined module.
>>>>
>>>> I will need more clarification on these rules, especially all the
>>>> new
>>>> root_t access.  The only thing that should normally be root_t is /.
>>
>> [...]
>>
>>> As you can see, it is trying to execute a /bin/umount executable file
>>> that is labeled root_t (this is before switching to the new root, so
>>> it's in the initramfs).
>>>
>>> This is from the following two dracut initramfs modules:
>>>
>>> 98selinux/selinux-loadpolicy.sh
>>> 99base/init.sh
>>>
>>> Eventually, no relabeling is done by dracut after loading the policy.
>>
>> I don't know if it makes sense, but it is a bit like the chicken or egg
>> problem !
>>
>> Even if you relabel from initramfs after loading the policy, you still
>> have to execute setfiles as root_t ! So, it doesn't make much sense to
>> relabel (and enlarge the initramfs) just for executing umount and a few
>> other core utilities.
>
> It's too bad dracut seems to generate sloppy initramfs.  It is a lot of
> unnecessary access to force on anyone that doesn't use dracut.  I'm
> tempted to make it tunable.
>
>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy