From mboxrd@z Thu Jan 1 00:00:00 1970 From: rfkrocktk@gmail.com (Naftuli Kay) Date: Wed, 21 Dec 2016 12:49:17 -0800 Subject: [refpolicy] [PATCH] kernel: missing permissions for confined execution In-Reply-To: References: <1482021787.10349.1.camel@trentalancia.net> <1482159003.3800.8.camel@trentalancia.net> <1482167717.2676.5.camel@trentalancia.net> <86d30284-085e-4bc7-ce50-d137c342ed8a@ieee.org> <00514D77-7C73-481E-8BF4-9ACBEDE69143@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > The initramfs is just a gzipped cpio archive, which therefore hasn't extended attributes... Aha, that explains it. Thanks, - Naftuli Kay On Wed, Dec 21, 2016 at 12:39 PM, Guido Trentalancia via refpolicy wrote: > Another naming option would be more simply "allow_initramfs". > > Whatever you decide, considering it is official and widely used, I suggest using a default value of "true", which can then be easily hardened. > > I look forward to hearing from you about this. > > Regards, > > Guido > > On the 21st December 2016 21:27:14 CET, Guido Trentalancia via refpolicy wrote: >>Hello again. >> >>The initramfs is just a gzipped cpio archive, which therefore hasn't >>extended attributes... >> >>Dracut is kernel.org official and widely used. >> >>I am neutral about making it tuneable, but since you proposed it, I'll >>offer my help to change the patch... >> >>Do you fancy the name "boot_initramfs" for the boolean that you >>suggested di ? >> >>Please let me know and I'll prepare a new version of this patch. >> >>Regards, >> >>Guido >> >> >> >>On the 21st December 2016 20:25:04 CET, Chris PeBenito >> wrote: >>>On 12/19/16 12:15, Guido Trentalancia via refpolicy wrote: >>>> On Mon, 19/12/2016 alle 15.50 +0100, Guido Trentalancia via >>refpolicy >>>> wrote: >>>> >>>> [...] >>>> >>>>>>> This patch adds missing permissions in the kernel module that >>>>>>> prevent >>>>>>> to run it without the unconfined module. >>>>>> >>>>>> I will need more clarification on these rules, especially all the >>>>>> new >>>>>> root_t access. The only thing that should normally be root_t is >>/. >>>> >>>> [...] >>>> >>>>> As you can see, it is trying to execute a /bin/umount executable >>>file >>>>> that is labeled root_t (this is before switching to the new root, >>so >>>>> it's in the initramfs). >>>>> >>>>> This is from the following two dracut initramfs modules: >>>>> >>>>> 98selinux/selinux-loadpolicy.sh >>>>> 99base/init.sh >>>>> >>>>> Eventually, no relabeling is done by dracut after loading the >>>policy. >>>> >>>> I don't know if it makes sense, but it is a bit like the chicken or >>>egg >>>> problem ! >>>> >>>> Even if you relabel from initramfs after loading the policy, you >>>still >>>> have to execute setfiles as root_t ! So, it doesn't make much sense >>>to >>>> relabel (and enlarge the initramfs) just for executing umount and a >>>few >>>> other core utilities. >>> >>>It's too bad dracut seems to generate sloppy initramfs. It is a lot >>of >>> >>>unnecessary access to force on anyone that doesn't use dracut. I'm >>>tempted to make it tunable. >> >>_______________________________________________ >>refpolicy mailing list >>refpolicy at oss.tresys.com >>http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy