From: Stephen Smalley <sds@tycho.nsa.gov>
To: Dominick Grift <dac.override@gmail.com>
Cc: Paul Moore <paul@paul-moore.com>, selinux@vger.kernel.org
Subject: Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
Date: Fri, 15 Feb 2019 14:48:45 -0500 [thread overview]
Message-ID: <27efd865-7d08-fc61-e004-0a07f27e165e@tycho.nsa.gov> (raw)
In-Reply-To: <87h8d4974p.fsf@gmail.com>
On 2/15/19 2:36 PM, Dominick Grift wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
>> On 2/15/19 2:21 PM, Dominick Grift wrote:
>>> Paul Moore <paul@paul-moore.com> writes:
>>>
>>>> On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
>>>>> Dominick Grift <dac.override@gmail.com> writes:
>>>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>>>
>>>>>>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>>>>>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>>>>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>>>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>>>>>>> two sensitivities and two categories, defines
>>>>>>>>>>>> mls constraints for all permissions requiring
>>>>>>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>>>>>>> level to initial SID contexts and the default user
>>>>>>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>>>>>>
>>>>>>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>>>>>>> generate rules for filesystems that are configured
>>>>>>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>>>>>>> config option for security xattrs, in other cases security
>>>>>>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>>>>>>> filesystems.
>>>>>>>>>>>>
>>>>>>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>>>>>>> We should probably expand it.
>>>>>>>>>>>>
>>>>>>>>>>>> Usage:
>>>>>>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>>>>>>
>>>>>>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>>>>>>
>>>>>>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>>>>>>> ---
>>>>>>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>>>>>>> SYSTEMLOW and
>>>>>>>>>>>> collapse down to a single fprintf call per line.
>>>>>>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>>>>>>
>>>>>>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>>>>>>> mdp tool.
>>>>>>>>>>>
>>>>>>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>>>>>>> merge something that you want to continue working on. If you are
>>>>>>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>>>>>>> of a built kernel, but rather a developer's tool.
>>>>>>>>>>
>>>>>>>>>> No, I think I'm done for now unless you find a problem with
>>>>>>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>>>>>>> spending any more time on it.
>>>>>>>>>
>>>>>>>>> Note however that the instructions in
>>>>>>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>>>>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>>>>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>>>>>>> do it all by hand.
>>>>>>>>
>>>>>>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>>>>>>> Partly appears to be due to systemd having embedded security
>>>>>>>> contexts specific to Fedora/refpolicy into its own configurations
>>>>>>>> and partly due to MLS denials. I don't even know if it would work
>>>>>>>> before this change though...
>>>>>>>
>>>>>>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>>>>>>> permissive, before or after this change. I assume it has to do with
>>>>>>> leaking of contexts outside of the policy and/or missing config files
>>>>>>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>>>>>>> systemd_contexts and other userspace config files that don't exist in
>>>>>>> the mdp policy). More evidence of the irrelevance of mdp...
>>>>>>
>>>>>> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>>>>>> start without it, and these day's without dbus no system
>>>>>
>>>>> My dssp2-minimal [1] policy is my alternative to mdp.
>>>>>
>>>>> https://github.com/DefenSec/dssp2-minimal
>>>>>
>>>>> It is not quite as simple as mpd but it think it is decent balance
>>>>> between having something useful and still easy to read.
>>>>
>>>> While dssp2-minimal is much smaller than reference policy, it's still
>>>> an order of magnitude larger than the mdp generated policy. I'm not
>>>> sure if this is something you care about, but if you wanted to work on
>>>> getting mdp to the point where it would allow a Fedora system (or any
>>>> modern SELinux based system for that matter) to boot, that could be
>>>> useful, even if I'm not convinced it needs to be a priority at the
>>>> moment.
>>>
>>> It is also an order of magnitude more useful than mdp.
>>>
>>> I suppose I could look at what it would take to get it to boot on some
>>> rainy afternoon. Should not be hard, but i hesitate to polute mdp with
>>> user space access vectors. It feels like setting a precendent somehow.
>>
>> In theory, if using selinux_check_access() to check permissions and if
>> the policy sets allow_unknown=true, then the absence of the userspace
>> classes and access vectors should just cause all userspace permission
>> checks to pass.
>>
>> Of course, not all userspace object managers use
>> selinux_check_access(), and may not check security_deny_unknown()
>> directly.
>
> The two object managers that matter do use selinux_access_check()
>
> I admit that I got a little curious to find out what the issue is.
Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
without specifying -U / --handle-unknown, so the policy defaults to
deny, and that would indeed render dbus-daemon and systemd broken with
that policy. Might be as simple to fix as passing -U allow.
>
>>
>>>
>>>>
>>>> Besides, haven't you always wanted to get a patch accepted into the
>>>> kernel Dominick? ;)
>>>
>>> Not particularly, no.
>>>
>>
>
next prev parent reply other threads:[~2019-02-15 19:48 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-15 14:50 [PATCH v3] scripts/selinux: add basic mls support to mdp Stephen Smalley
2019-02-15 15:00 ` Paul Moore
2019-02-15 15:03 ` Stephen Smalley
2019-02-15 15:05 ` Stephen Smalley
2019-02-15 15:18 ` Paul Moore
2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:37 ` Paul Moore
2019-02-15 15:40 ` Stephen Smalley
2019-02-15 16:52 ` Dominick Grift
2019-02-15 17:16 ` Stephen Smalley
2019-02-15 17:19 ` Dominick Grift
2019-02-15 17:24 ` Dominick Grift
2019-02-15 19:11 ` Paul Moore
2019-02-15 19:21 ` Dominick Grift
2019-02-15 19:30 ` Stephen Smalley
2019-02-15 19:36 ` Dominick Grift
2019-02-15 19:48 ` Stephen Smalley [this message]
2019-02-16 12:04 ` Dominick Grift
2019-02-16 12:12 ` Dominick Grift
2019-02-18 3:12 ` Paul Moore
2019-02-18 7:08 ` Dominick Grift
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
2019-02-19 8:15 ` Dominick Grift
2019-02-19 11:08 ` Dominick Grift
[not found] ` <CAB9W1A2s+PcrC=fPXA9AYRm1oVYArsRCGKihM5mjUqnQtuLe3w@mail.gmail.com>
[not found] ` <CAB9W1A3Pef5pfAZ8UEvSQYvWA9oZTRNPvWFCHw8e9eqZsGvGWA@mail.gmail.com>
2019-02-20 10:27 ` Petr Lautrbach
2019-02-19 12:11 ` Petr Lautrbach
2019-02-19 12:37 ` Dominick Grift
2019-02-19 12:40 ` Dominick Grift
2019-02-15 16:50 ` Dominick Grift
2019-02-15 15:15 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27efd865-7d08-fc61-e004-0a07f27e165e@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=dac.override@gmail.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).