From mboxrd@z Thu Jan  1 00:00:00 1970
From: rfkrocktk@gmail.com (Naftuli Kay)
Date: Wed, 21 Dec 2016 11:32:16 -0800
Subject: [refpolicy] [PATCH] kernel: missing permissions for confined
	execution
In-Reply-To: <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org>
References: <1482021787.10349.1.camel@trentalancia.net>
	<e8bf4383-7290-0075-0905-ba07d6650ad6@ieee.org>
	<1482159003.3800.8.camel@trentalancia.net>
	<1482167717.2676.5.camel@trentalancia.net>
	<86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org>
Message-ID: <CAPTk+sbi4XrOpDBP-qYAmMVe0+_cdOfMAStEqCOZYD3vGj_HKQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

IIRC Fedora at least has a SystemD unit which runs very early in the
boot to relabel the filesystem.
Thanks,
 - Naftuli Kay


On Wed, Dec 21, 2016 at 11:25 AM, Chris PeBenito via refpolicy
<refpolicy@oss.tresys.com> wrote:
> On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote:
>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>
>> [...]
>>
>>>>> This patch adds missing permissions in the kernel module that
>>>>> prevent
>>>>> to run it without the unconfined module.
>>>>
>>>> I will need more clarification on these rules, especially all the
>>>> new
>>>> root_t access.  The only thing that should normally be root_t is /.
>>
>> [...]
>>
>>> As you can see, it is trying to execute a /bin/umount executable file
>>> that is labeled root_t (this is before switching to the new root, so
>>> it's in the initramfs).
>>>
>>> This is from the following two dracut initramfs modules:
>>>
>>> 98selinux/selinux-loadpolicy.sh
>>> 99base/init.sh
>>>
>>> Eventually, no relabeling is done by dracut after loading the policy.
>>
>> I don't know if it makes sense, but it is a bit like the chicken or egg
>> problem !
>>
>> Even if you relabel from initramfs after loading the policy, you still
>> have to execute setfiles as root_t ! So, it doesn't make much sense to
>> relabel (and enlarge the initramfs) just for executing umount and a few
>> other core utilities.
>
> It's too bad dracut seems to generate sloppy initramfs.  It is a lot of
> unnecessary access to force on anyone that doesn't use dracut.  I'm
> tempted to make it tunable.
>
>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy