selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dominick Grift <dac.override@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>,
	Paul Moore <paul@paul-moore.com>,
	selinux@vger.kernel.org
Subject: Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
Date: Sat, 16 Feb 2019 13:12:56 +0100	[thread overview]
Message-ID: <20190216121256.GB11908@brutus.lan> (raw)
In-Reply-To: <20190216120412.GA11908@brutus.lan>

[-- Attachment #1: Type: text/plain, Size: 1903 bytes --]

On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
> <snip>
> 
> > 
> > Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
> > without specifying -U / --handle-unknown, so the policy defaults to deny,
> > and that would indeed render dbus-daemon and systemd broken with that
> > policy.  Might be as simple to fix as passing -U allow.
> 
> I have looked a litte into this and here are some observations:
> 
> 1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
> 
> 2. You need *at least* an `/etc/selinux/dummy/seusers` with `__default__:user_u` and an accompanying `/etc/selinux/dummy/contexts/failsafe_context` with `base_r:base_t` to boot mdp in enforcing
> 
> 3. There is an issue with checkpolicy and object_r:
> 
> PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
> 
> if you try to append: `role object_r; role object_r types base_t;` to policy.conf and compile that with `checkpolicy` then the `roletype-rule` does *not* end up in the compiled policy for some reason.
> 
> thus, you cannot log in because object_r:base_t is not valid.
> 
> To hack around this add `default_role * source` rules to policy.conf and recompile.
> 
> This will allow you to log into the system locally in enforcing mode.
> 
> 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t` for its "privsep" functionality so, while untested, you probably need an `openssh_contexts` with `privsep_preauth=base_t`
> 

The `install_policy.sh` script should probably also do a bash file test for `checkpolicy` and fail gracefully if its not found

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

  reply	other threads:[~2019-02-16 12:13 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-15 14:50 [PATCH v3] scripts/selinux: add basic mls support to mdp Stephen Smalley
2019-02-15 15:00 ` Paul Moore
2019-02-15 15:03   ` Stephen Smalley
2019-02-15 15:05     ` Stephen Smalley
2019-02-15 15:18       ` Paul Moore
2019-02-15 15:25       ` Stephen Smalley
2019-02-15 15:37         ` Paul Moore
2019-02-15 15:40         ` Stephen Smalley
2019-02-15 16:52           ` Dominick Grift
2019-02-15 17:16             ` Stephen Smalley
2019-02-15 17:19               ` Dominick Grift
2019-02-15 17:24             ` Dominick Grift
2019-02-15 19:11               ` Paul Moore
2019-02-15 19:21                 ` Dominick Grift
2019-02-15 19:30                   ` Stephen Smalley
2019-02-15 19:36                     ` Dominick Grift
2019-02-15 19:48                       ` Stephen Smalley
2019-02-16 12:04                         ` Dominick Grift
2019-02-16 12:12                           ` Dominick Grift [this message]
2019-02-18  3:12                             ` Paul Moore
2019-02-18  7:08                               ` Dominick Grift
     [not found]                                 ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
2019-02-19  8:15                                   ` Dominick Grift
2019-02-19 11:08                                   ` Dominick Grift
     [not found]                                     ` <CAB9W1A2s+PcrC=fPXA9AYRm1oVYArsRCGKihM5mjUqnQtuLe3w@mail.gmail.com>
     [not found]                                       ` <CAB9W1A3Pef5pfAZ8UEvSQYvWA9oZTRNPvWFCHw8e9eqZsGvGWA@mail.gmail.com>
2019-02-20 10:27                                         ` Petr Lautrbach
2019-02-19 12:11                                 ` Petr Lautrbach
2019-02-19 12:37                                   ` Dominick Grift
2019-02-19 12:40                                     ` Dominick Grift
2019-02-15 16:50         ` Dominick Grift
2019-02-15 15:15     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190216121256.GB11908@brutus.lan \
    --to=dac.override@gmail.com \
    --cc=paul@paul-moore.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).