From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>,
Ondrej Mosnacek <omosnace@redhat.com>,
bauen1 <j2468h@googlemail.com>
Subject: Re: [PATCH] selinux: log error messages on required process class / permissions
Date: Tue, 23 Jun 2020 21:08:44 -0400 [thread overview]
Message-ID: <CAHC9VhRGchDjwdM_KsBUnQF7krWuArYahOB+G=ZMZKd1zbUr3Q@mail.gmail.com> (raw)
In-Reply-To: <CAEjxPJ6EHbCh+S1D8dm61Mw7YkMDHELNHVwKEtinNciaoTzYoQ@mail.gmail.com>
On Thu, Jun 18, 2020 at 10:03 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Wed, Jun 17, 2020 at 3:23 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > In general SELinux no longer treats undefined object classes or permissions
> > in the policy as a fatal error, instead handling them in accordance with
> > handle_unknown. However, the process class and process transition and
> > dyntransition permissions are still required to be defined due to
> > dependencies on these definitions for default labeling behaviors,
> > role and range transitions in older policy versions that lack an explicit
> > class field, and role allow checking. Log error messages in these cases
> > since otherwise the policy load will fail silently with no indication
> > to the user as to the underlying cause. While here, fix the checking for
> > process transition / dyntransition so that omitting either permission is
> > handled as an error; both are needed in order to ensure that role allow
> > checking is consistently applied.
> >
> > Reported-by: bauen1 <j2468h@googlemail.com>
> > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
>
> BTW I considered and even put together an initial patch to instead
> make the process class and transition permissions optional but thought
> it was unnecessary complexity for no real gain. One would end up with
> a system where new processes would be treated like objects for
> labeling (e.g. object_r for the role, inherit type from related object
> in this case the executable file) and role allow rules would be
> unenforceable. I suppose we could change the test of the process
> class to be based on the kernel value rather than the policy value,
> which would at least provide sane defaults for labeling.
Yes, I think this patch is fine, it seems reasonable to require some
basic policy definitions.
Merged into selinux/next, thanks.
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2020-06-24 1:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-17 19:23 [PATCH] selinux: log error messages on required process class / permissions Stephen Smalley
2020-06-18 14:03 ` Stephen Smalley
2020-06-18 14:13 ` Dominick Grift
2020-06-24 1:08 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhRGchDjwdM_KsBUnQF7krWuArYahOB+G=ZMZKd1zbUr3Q@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=j2468h@googlemail.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).