* [PATCH v3] scripts/selinux: add basic mls support to mdp
@ 2019-02-15 14:50 Stephen Smalley
2019-02-15 15:00 ` Paul Moore
0 siblings, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 14:50 UTC (permalink / raw)
To: paul; +Cc: selinux, Stephen Smalley
Add basic MLS policy support to mdp. Declares
two sensitivities and two categories, defines
mls constraints for all permissions requiring
dominance (ala MCS), assigns the system-high
level to initial SID contexts and the default user
level, and assigns system-low level to filesystems.
Also reworks the fs_use and genfscon rules to only
generate rules for filesystems that are configured
in the kernel. In some cases this depends on a specific
config option for security xattrs, in other cases security
xattrs are unconditionally supported by a given filesystem
if the filesystem is enabled, and in some cases the filesystem
is always enabled in the kernel. Dropped obsolete pseudo
filesystems.
NB The list of fs_use_* and genfscon rules emitted by mdp
is very incomplete compared to refpolicy or Android sepolicy.
We should probably expand it.
Usage:
scripts/selinux/mdp/mdp -m policy.conf file_contexts
checkpolicy -M -o policy policy.conf
Then install the resulting policy and file_contexts as usual.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
v3 fixes up the file contexts generation code to also use SYSTEMLOW and
collapse down to a single fprintf call per line.
scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
1 file changed, 103 insertions(+), 28 deletions(-)
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index 073fe7537f6c..4223e2fea441 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -33,6 +33,7 @@
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
+#include <linux/kconfig.h>
static void usage(char *name)
{
@@ -95,10 +96,31 @@ int main(int argc, char *argv[])
}
fprintf(fout, "\n");
- /* NOW PRINT OUT MLS STUFF */
+ /* print out mls declarations and constraints */
if (mls) {
- printf("MLS not yet implemented\n");
- exit(1);
+ fprintf(fout, "sensitivity s0;\n");
+ fprintf(fout, "sensitivity s1;\n");
+ fprintf(fout, "dominance { s0 s1 }\n");
+ fprintf(fout, "category c0;\n");
+ fprintf(fout, "category c1;\n");
+ fprintf(fout, "level s0:c0.c1;\n");
+ fprintf(fout, "level s1:c0.c1;\n");
+#define SYSTEMLOW "s0"
+#define SYSTEMHIGH "s1:c0.c1"
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+
+ fprintf(fout, "mlsconstrain %s {\n", map->name);
+ for (j = 0; map->perms[j]; j++)
+ fprintf(fout, "\t%s\n", map->perms[j]);
+ /*
+ * This requires all subjects and objects to be
+ * single-level (l2 eq h2), and that the subject
+ * level dominate the object level (h1 dom h2)
+ * in order to have any permissions to it.
+ */
+ fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
+ }
}
/* types, roles, and allows */
@@ -108,34 +130,87 @@ int main(int argc, char *argv[])
for (i = 0; secclass_map[i].name; i++)
fprintf(fout, "allow base_t base_t:%s *;\n",
secclass_map[i].name);
- fprintf(fout, "user user_u roles { base_r };\n");
- fprintf(fout, "\n");
+ fprintf(fout, "user user_u roles { base_r }");
+ if (mls)
+ fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
+ SYSTEMLOW, SYSTEMHIGH);
+ fprintf(fout, ";\n");
+
+#define USERROLETYPE "user_u:base_r:base_t"
/* default sids */
for (i = 1; i < initial_sid_to_string_len; i++)
- fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
+ fprintf(fout, "sid %s " USERROLETYPE "%s\n",
+ initial_sid_to_string[i], mls ? ":" SYSTEMHIGH : "");
fprintf(fout, "\n");
- fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
-
- fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
-
- fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
- fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
-
- fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
+#define FS_USE(behavior, fstype) \
+ fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
+ behavior, fstype, mls ? ":" SYSTEMLOW : "")
+
+ /*
+ * Filesystems whose inode labels can be fetched via getxattr.
+ */
+#ifdef CONFIG_EXT2_FS_SECURITY
+ FS_USE("xattr", "ext2");
+#endif
+#ifdef CONFIG_EXT3_FS_SECURITY
+ FS_USE("xattr", "ext3");
+#endif
+#ifdef CONFIG_EXT4_FS_SECURITY
+ FS_USE("xattr", "ext4");
+#endif
+#ifdef CONFIG_JFS_SECURITY
+ FS_USE("xattr", "jfs");
+#endif
+#ifdef CONFIG_REISERFS_FS_SECURITY
+ FS_USE("xattr", "reiserfs");
+#endif
+#ifdef CONFIG_JFFS2_FS_SECURITY
+ FS_USE("xattr", "jffs2");
+#endif
+#ifdef CONFIG_XFS_FS
+ FS_USE("xattr", "xfs");
+#endif
+#ifdef CONFIG_GFS2_FS
+ FS_USE("xattr", "gfs2");
+#endif
+
+ /*
+ * Filesystems whose inodes are labeled from allocating task.
+ */
+ FS_USE("task", "pipefs");
+ FS_USE("task", "sockfs");
+#ifdef CONFIG_POSIX_MQUEUE
+ FS_USE("task", "mqueue");
+#endif
+
+ /*
+ * Filesystems whose inode labels are computed from both
+ * the allocating task and the superblock label.
+ */
+#ifdef CONFIG_UNIX98_PTYS
+ FS_USE("trans", "devpts");
+#endif
+#ifdef CONFIG_HUGETLBFS
+ FS_USE("trans", "hugetlbfs");
+#endif
+#ifdef CONFIG_TMPFS
+ FS_USE("trans", "tmpfs");
+#endif
+
+
+#define GENFSCON(fstype, prefix) \
+ fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
+ fstype, prefix, mls ? ":" SYSTEMLOW : "")
+
+ /*
+ * Filesystems whose inodes are labeled from path prefix match
+ * relative to the filesystem root. Depending on the filesystem,
+ * only a single label for all inodes may be supported.
+ */
+ GENFSCON("proc", "/");
+ GENFSCON("selinuxfs", "/");
fclose(fout);
@@ -144,8 +219,8 @@ int main(int argc, char *argv[])
printf("Wrote policy, but cannot open %s for writing\n", ctxout);
usage(argv[0]);
}
- fprintf(fout, "/ user_u:base_r:base_t\n");
- fprintf(fout, "/.* user_u:base_r:base_t\n");
+ fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
+ fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
fclose(fout);
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 14:50 [PATCH v3] scripts/selinux: add basic mls support to mdp Stephen Smalley
@ 2019-02-15 15:00 ` Paul Moore
2019-02-15 15:03 ` Stephen Smalley
0 siblings, 1 reply; 29+ messages in thread
From: Paul Moore @ 2019-02-15 15:00 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Add basic MLS policy support to mdp. Declares
> two sensitivities and two categories, defines
> mls constraints for all permissions requiring
> dominance (ala MCS), assigns the system-high
> level to initial SID contexts and the default user
> level, and assigns system-low level to filesystems.
>
> Also reworks the fs_use and genfscon rules to only
> generate rules for filesystems that are configured
> in the kernel. In some cases this depends on a specific
> config option for security xattrs, in other cases security
> xattrs are unconditionally supported by a given filesystem
> if the filesystem is enabled, and in some cases the filesystem
> is always enabled in the kernel. Dropped obsolete pseudo
> filesystems.
>
> NB The list of fs_use_* and genfscon rules emitted by mdp
> is very incomplete compared to refpolicy or Android sepolicy.
> We should probably expand it.
>
> Usage:
> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> checkpolicy -M -o policy policy.conf
>
> Then install the resulting policy and file_contexts as usual.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
> collapse down to a single fprintf call per line.
> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
> 1 file changed, 103 insertions(+), 28 deletions(-)
This is great Stephen, thanks for working on this - and rather quickly
too! For those who don't follow the GitHub issues, I just opened an
issue yesterday mentioning it would be nice to add MLS support to the
mdp tool.
Are you planning to keep playing with this? I'm asking not because I
think it needs more work to be worthwhile, but rather I don't want to
merge something that you want to continue working on. If you are
happy with this latest patch I think it is okay to merge this into
selinux/next, even at this late stage, simply because it is not part
of a built kernel, but rather a developer's tool.
> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
> index 073fe7537f6c..4223e2fea441 100644
> --- a/scripts/selinux/mdp/mdp.c
> +++ b/scripts/selinux/mdp/mdp.c
> @@ -33,6 +33,7 @@
> #include <unistd.h>
> #include <string.h>
> #include <sys/socket.h>
> +#include <linux/kconfig.h>
>
> static void usage(char *name)
> {
> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
> }
> fprintf(fout, "\n");
>
> - /* NOW PRINT OUT MLS STUFF */
> + /* print out mls declarations and constraints */
> if (mls) {
> - printf("MLS not yet implemented\n");
> - exit(1);
> + fprintf(fout, "sensitivity s0;\n");
> + fprintf(fout, "sensitivity s1;\n");
> + fprintf(fout, "dominance { s0 s1 }\n");
> + fprintf(fout, "category c0;\n");
> + fprintf(fout, "category c1;\n");
> + fprintf(fout, "level s0:c0.c1;\n");
> + fprintf(fout, "level s1:c0.c1;\n");
> +#define SYSTEMLOW "s0"
> +#define SYSTEMHIGH "s1:c0.c1"
> + for (i = 0; secclass_map[i].name; i++) {
> + struct security_class_mapping *map = &secclass_map[i];
> +
> + fprintf(fout, "mlsconstrain %s {\n", map->name);
> + for (j = 0; map->perms[j]; j++)
> + fprintf(fout, "\t%s\n", map->perms[j]);
> + /*
> + * This requires all subjects and objects to be
> + * single-level (l2 eq h2), and that the subject
> + * level dominate the object level (h1 dom h2)
> + * in order to have any permissions to it.
> + */
> + fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
> + }
> }
>
> /* types, roles, and allows */
> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
> for (i = 0; secclass_map[i].name; i++)
> fprintf(fout, "allow base_t base_t:%s *;\n",
> secclass_map[i].name);
> - fprintf(fout, "user user_u roles { base_r };\n");
> - fprintf(fout, "\n");
> + fprintf(fout, "user user_u roles { base_r }");
> + if (mls)
> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
> + SYSTEMLOW, SYSTEMHIGH);
> + fprintf(fout, ";\n");
> +
> +#define USERROLETYPE "user_u:base_r:base_t"
>
> /* default sids */
> for (i = 1; i < initial_sid_to_string_len; i++)
> - fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
> + initial_sid_to_string[i], mls ? ":" SYSTEMHIGH : "");
> fprintf(fout, "\n");
>
> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
> -
> - fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
> -
> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
> -
> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
> +#define FS_USE(behavior, fstype) \
> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
> +
> + /*
> + * Filesystems whose inode labels can be fetched via getxattr.
> + */
> +#ifdef CONFIG_EXT2_FS_SECURITY
> + FS_USE("xattr", "ext2");
> +#endif
> +#ifdef CONFIG_EXT3_FS_SECURITY
> + FS_USE("xattr", "ext3");
> +#endif
> +#ifdef CONFIG_EXT4_FS_SECURITY
> + FS_USE("xattr", "ext4");
> +#endif
> +#ifdef CONFIG_JFS_SECURITY
> + FS_USE("xattr", "jfs");
> +#endif
> +#ifdef CONFIG_REISERFS_FS_SECURITY
> + FS_USE("xattr", "reiserfs");
> +#endif
> +#ifdef CONFIG_JFFS2_FS_SECURITY
> + FS_USE("xattr", "jffs2");
> +#endif
> +#ifdef CONFIG_XFS_FS
> + FS_USE("xattr", "xfs");
> +#endif
> +#ifdef CONFIG_GFS2_FS
> + FS_USE("xattr", "gfs2");
> +#endif
> +
> + /*
> + * Filesystems whose inodes are labeled from allocating task.
> + */
> + FS_USE("task", "pipefs");
> + FS_USE("task", "sockfs");
> +#ifdef CONFIG_POSIX_MQUEUE
> + FS_USE("task", "mqueue");
> +#endif
> +
> + /*
> + * Filesystems whose inode labels are computed from both
> + * the allocating task and the superblock label.
> + */
> +#ifdef CONFIG_UNIX98_PTYS
> + FS_USE("trans", "devpts");
> +#endif
> +#ifdef CONFIG_HUGETLBFS
> + FS_USE("trans", "hugetlbfs");
> +#endif
> +#ifdef CONFIG_TMPFS
> + FS_USE("trans", "tmpfs");
> +#endif
> +
> +
> +#define GENFSCON(fstype, prefix) \
> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
> +
> + /*
> + * Filesystems whose inodes are labeled from path prefix match
> + * relative to the filesystem root. Depending on the filesystem,
> + * only a single label for all inodes may be supported.
> + */
> + GENFSCON("proc", "/");
> + GENFSCON("selinuxfs", "/");
>
> fclose(fout);
>
> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
> printf("Wrote policy, but cannot open %s for writing\n", ctxout);
> usage(argv[0]);
> }
> - fprintf(fout, "/ user_u:base_r:base_t\n");
> - fprintf(fout, "/.* user_u:base_r:base_t\n");
> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
> fclose(fout);
>
> return 0;
> --
> 2.20.1
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:00 ` Paul Moore
@ 2019-02-15 15:03 ` Stephen Smalley
2019-02-15 15:05 ` Stephen Smalley
2019-02-15 15:15 ` Paul Moore
0 siblings, 2 replies; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 15:03 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On 2/15/19 10:00 AM, Paul Moore wrote:
> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> Add basic MLS policy support to mdp. Declares
>> two sensitivities and two categories, defines
>> mls constraints for all permissions requiring
>> dominance (ala MCS), assigns the system-high
>> level to initial SID contexts and the default user
>> level, and assigns system-low level to filesystems.
>>
>> Also reworks the fs_use and genfscon rules to only
>> generate rules for filesystems that are configured
>> in the kernel. In some cases this depends on a specific
>> config option for security xattrs, in other cases security
>> xattrs are unconditionally supported by a given filesystem
>> if the filesystem is enabled, and in some cases the filesystem
>> is always enabled in the kernel. Dropped obsolete pseudo
>> filesystems.
>>
>> NB The list of fs_use_* and genfscon rules emitted by mdp
>> is very incomplete compared to refpolicy or Android sepolicy.
>> We should probably expand it.
>>
>> Usage:
>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>> checkpolicy -M -o policy policy.conf
>>
>> Then install the resulting policy and file_contexts as usual.
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
>> collapse down to a single fprintf call per line.
>> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
>> 1 file changed, 103 insertions(+), 28 deletions(-)
>
> This is great Stephen, thanks for working on this - and rather quickly
> too! For those who don't follow the GitHub issues, I just opened an
> issue yesterday mentioning it would be nice to add MLS support to the
> mdp tool.
>
> Are you planning to keep playing with this? I'm asking not because I
> think it needs more work to be worthwhile, but rather I don't want to
> merge something that you want to continue working on. If you are
> happy with this latest patch I think it is okay to merge this into
> selinux/next, even at this late stage, simply because it is not part
> of a built kernel, but rather a developer's tool.
No, I think I'm done for now unless you find a problem with it. Absent
some compelling use case for mdp it is hard to justify spending any more
time on it.
>
>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>> index 073fe7537f6c..4223e2fea441 100644
>> --- a/scripts/selinux/mdp/mdp.c
>> +++ b/scripts/selinux/mdp/mdp.c
>> @@ -33,6 +33,7 @@
>> #include <unistd.h>
>> #include <string.h>
>> #include <sys/socket.h>
>> +#include <linux/kconfig.h>
>>
>> static void usage(char *name)
>> {
>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>> }
>> fprintf(fout, "\n");
>>
>> - /* NOW PRINT OUT MLS STUFF */
>> + /* print out mls declarations and constraints */
>> if (mls) {
>> - printf("MLS not yet implemented\n");
>> - exit(1);
>> + fprintf(fout, "sensitivity s0;\n");
>> + fprintf(fout, "sensitivity s1;\n");
>> + fprintf(fout, "dominance { s0 s1 }\n");
>> + fprintf(fout, "category c0;\n");
>> + fprintf(fout, "category c1;\n");
>> + fprintf(fout, "level s0:c0.c1;\n");
>> + fprintf(fout, "level s1:c0.c1;\n");
>> +#define SYSTEMLOW "s0"
>> +#define SYSTEMHIGH "s1:c0.c1"
>> + for (i = 0; secclass_map[i].name; i++) {
>> + struct security_class_mapping *map = &secclass_map[i];
>> +
>> + fprintf(fout, "mlsconstrain %s {\n", map->name);
>> + for (j = 0; map->perms[j]; j++)
>> + fprintf(fout, "\t%s\n", map->perms[j]);
>> + /*
>> + * This requires all subjects and objects to be
>> + * single-level (l2 eq h2), and that the subject
>> + * level dominate the object level (h1 dom h2)
>> + * in order to have any permissions to it.
>> + */
>> + fprintf(fout, "} (l2 eq h2 and h1 dom h2);\n\n");
>> + }
>> }
>>
>> /* types, roles, and allows */
>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>> for (i = 0; secclass_map[i].name; i++)
>> fprintf(fout, "allow base_t base_t:%s *;\n",
>> secclass_map[i].name);
>> - fprintf(fout, "user user_u roles { base_r };\n");
>> - fprintf(fout, "\n");
>> + fprintf(fout, "user user_u roles { base_r }");
>> + if (mls)
>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>> + SYSTEMLOW, SYSTEMHIGH);
>> + fprintf(fout, ";\n");
>> +
>> +#define USERROLETYPE "user_u:base_r:base_t"
>>
>> /* default sids */
>> for (i = 1; i < initial_sid_to_string_len; i++)
>> - fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>> + initial_sid_to_string[i], mls ? ":" SYSTEMHIGH : "");
>> fprintf(fout, "\n");
>>
>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>> -
>> - fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>> -
>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>> -
>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>> +#define FS_USE(behavior, fstype) \
>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>> +
>> + /*
>> + * Filesystems whose inode labels can be fetched via getxattr.
>> + */
>> +#ifdef CONFIG_EXT2_FS_SECURITY
>> + FS_USE("xattr", "ext2");
>> +#endif
>> +#ifdef CONFIG_EXT3_FS_SECURITY
>> + FS_USE("xattr", "ext3");
>> +#endif
>> +#ifdef CONFIG_EXT4_FS_SECURITY
>> + FS_USE("xattr", "ext4");
>> +#endif
>> +#ifdef CONFIG_JFS_SECURITY
>> + FS_USE("xattr", "jfs");
>> +#endif
>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>> + FS_USE("xattr", "reiserfs");
>> +#endif
>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>> + FS_USE("xattr", "jffs2");
>> +#endif
>> +#ifdef CONFIG_XFS_FS
>> + FS_USE("xattr", "xfs");
>> +#endif
>> +#ifdef CONFIG_GFS2_FS
>> + FS_USE("xattr", "gfs2");
>> +#endif
>> +
>> + /*
>> + * Filesystems whose inodes are labeled from allocating task.
>> + */
>> + FS_USE("task", "pipefs");
>> + FS_USE("task", "sockfs");
>> +#ifdef CONFIG_POSIX_MQUEUE
>> + FS_USE("task", "mqueue");
>> +#endif
>> +
>> + /*
>> + * Filesystems whose inode labels are computed from both
>> + * the allocating task and the superblock label.
>> + */
>> +#ifdef CONFIG_UNIX98_PTYS
>> + FS_USE("trans", "devpts");
>> +#endif
>> +#ifdef CONFIG_HUGETLBFS
>> + FS_USE("trans", "hugetlbfs");
>> +#endif
>> +#ifdef CONFIG_TMPFS
>> + FS_USE("trans", "tmpfs");
>> +#endif
>> +
>> +
>> +#define GENFSCON(fstype, prefix) \
>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>> +
>> + /*
>> + * Filesystems whose inodes are labeled from path prefix match
>> + * relative to the filesystem root. Depending on the filesystem,
>> + * only a single label for all inodes may be supported.
>> + */
>> + GENFSCON("proc", "/");
>> + GENFSCON("selinuxfs", "/");
>>
>> fclose(fout);
>>
>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>> printf("Wrote policy, but cannot open %s for writing\n", ctxout);
>> usage(argv[0]);
>> }
>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW : "");
>> fclose(fout);
>>
>> return 0;
>> --
>> 2.20.1
>>
>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:03 ` Stephen Smalley
@ 2019-02-15 15:05 ` Stephen Smalley
2019-02-15 15:18 ` Paul Moore
2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:15 ` Paul Moore
1 sibling, 2 replies; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 15:05 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On 2/15/19 10:03 AM, Stephen Smalley wrote:
> On 2/15/19 10:00 AM, Paul Moore wrote:
>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov>
>> wrote:
>>> Add basic MLS policy support to mdp. Declares
>>> two sensitivities and two categories, defines
>>> mls constraints for all permissions requiring
>>> dominance (ala MCS), assigns the system-high
>>> level to initial SID contexts and the default user
>>> level, and assigns system-low level to filesystems.
>>>
>>> Also reworks the fs_use and genfscon rules to only
>>> generate rules for filesystems that are configured
>>> in the kernel. In some cases this depends on a specific
>>> config option for security xattrs, in other cases security
>>> xattrs are unconditionally supported by a given filesystem
>>> if the filesystem is enabled, and in some cases the filesystem
>>> is always enabled in the kernel. Dropped obsolete pseudo
>>> filesystems.
>>>
>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>> is very incomplete compared to refpolicy or Android sepolicy.
>>> We should probably expand it.
>>>
>>> Usage:
>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>> checkpolicy -M -o policy policy.conf
>>>
>>> Then install the resulting policy and file_contexts as usual.
>>>
>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>> ---
>>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
>>> collapse down to a single fprintf call per line.
>>> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>
>> This is great Stephen, thanks for working on this - and rather quickly
>> too! For those who don't follow the GitHub issues, I just opened an
>> issue yesterday mentioning it would be nice to add MLS support to the
>> mdp tool.
>>
>> Are you planning to keep playing with this? I'm asking not because I
>> think it needs more work to be worthwhile, but rather I don't want to
>> merge something that you want to continue working on. If you are
>> happy with this latest patch I think it is okay to merge this into
>> selinux/next, even at this late stage, simply because it is not part
>> of a built kernel, but rather a developer's tool.
>
> No, I think I'm done for now unless you find a problem with it. Absent
> some compelling use case for mdp it is hard to justify spending any more
> time on it.
Note however that the instructions in
Documentation/admin-guide/LSM/SELinux.rst just say to run
scripts/selinux/install_policy.sh and since that doesn't pass -m to mdp
or -M to checkpolicy, no one will use this support unless they do it all
by hand.
>
>>
>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>> index 073fe7537f6c..4223e2fea441 100644
>>> --- a/scripts/selinux/mdp/mdp.c
>>> +++ b/scripts/selinux/mdp/mdp.c
>>> @@ -33,6 +33,7 @@
>>> #include <unistd.h>
>>> #include <string.h>
>>> #include <sys/socket.h>
>>> +#include <linux/kconfig.h>
>>>
>>> static void usage(char *name)
>>> {
>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>> }
>>> fprintf(fout, "\n");
>>>
>>> - /* NOW PRINT OUT MLS STUFF */
>>> + /* print out mls declarations and constraints */
>>> if (mls) {
>>> - printf("MLS not yet implemented\n");
>>> - exit(1);
>>> + fprintf(fout, "sensitivity s0;\n");
>>> + fprintf(fout, "sensitivity s1;\n");
>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>> + fprintf(fout, "category c0;\n");
>>> + fprintf(fout, "category c1;\n");
>>> + fprintf(fout, "level s0:c0.c1;\n");
>>> + fprintf(fout, "level s1:c0.c1;\n");
>>> +#define SYSTEMLOW "s0"
>>> +#define SYSTEMHIGH "s1:c0.c1"
>>> + for (i = 0; secclass_map[i].name; i++) {
>>> + struct security_class_mapping *map =
>>> &secclass_map[i];
>>> +
>>> + fprintf(fout, "mlsconstrain %s {\n", map->name);
>>> + for (j = 0; map->perms[j]; j++)
>>> + fprintf(fout, "\t%s\n", map->perms[j]);
>>> + /*
>>> + * This requires all subjects and objects to be
>>> + * single-level (l2 eq h2), and that the subject
>>> + * level dominate the object level (h1 dom h2)
>>> + * in order to have any permissions to it.
>>> + */
>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>> h2);\n\n");
>>> + }
>>> }
>>>
>>> /* types, roles, and allows */
>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>> for (i = 0; secclass_map[i].name; i++)
>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>> secclass_map[i].name);
>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>> - fprintf(fout, "\n");
>>> + fprintf(fout, "user user_u roles { base_r }");
>>> + if (mls)
>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>> + SYSTEMLOW, SYSTEMHIGH);
>>> + fprintf(fout, ";\n");
>>> +
>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>
>>> /* default sids */
>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>> initial_sid_to_string[i]);
>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>> + initial_sid_to_string[i], mls ? ":"
>>> SYSTEMHIGH : "");
>>> fprintf(fout, "\n");
>>>
>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>> -
>>> - fprintf(fout, "fs_use_task eventpollfs
>>> user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>> -
>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>> -
>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>> +#define FS_USE(behavior, fstype) \
>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>> +
>>> + /*
>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>> + */
>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>> + FS_USE("xattr", "ext2");
>>> +#endif
>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>> + FS_USE("xattr", "ext3");
>>> +#endif
>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>> + FS_USE("xattr", "ext4");
>>> +#endif
>>> +#ifdef CONFIG_JFS_SECURITY
>>> + FS_USE("xattr", "jfs");
>>> +#endif
>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>> + FS_USE("xattr", "reiserfs");
>>> +#endif
>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>> + FS_USE("xattr", "jffs2");
>>> +#endif
>>> +#ifdef CONFIG_XFS_FS
>>> + FS_USE("xattr", "xfs");
>>> +#endif
>>> +#ifdef CONFIG_GFS2_FS
>>> + FS_USE("xattr", "gfs2");
>>> +#endif
>>> +
>>> + /*
>>> + * Filesystems whose inodes are labeled from allocating task.
>>> + */
>>> + FS_USE("task", "pipefs");
>>> + FS_USE("task", "sockfs");
>>> +#ifdef CONFIG_POSIX_MQUEUE
>>> + FS_USE("task", "mqueue");
>>> +#endif
>>> +
>>> + /*
>>> + * Filesystems whose inode labels are computed from both
>>> + * the allocating task and the superblock label.
>>> + */
>>> +#ifdef CONFIG_UNIX98_PTYS
>>> + FS_USE("trans", "devpts");
>>> +#endif
>>> +#ifdef CONFIG_HUGETLBFS
>>> + FS_USE("trans", "hugetlbfs");
>>> +#endif
>>> +#ifdef CONFIG_TMPFS
>>> + FS_USE("trans", "tmpfs");
>>> +#endif
>>> +
>>> +
>>> +#define GENFSCON(fstype, prefix) \
>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>> +
>>> + /*
>>> + * Filesystems whose inodes are labeled from path prefix match
>>> + * relative to the filesystem root. Depending on the
>>> filesystem,
>>> + * only a single label for all inodes may be supported.
>>> + */
>>> + GENFSCON("proc", "/");
>>> + GENFSCON("selinuxfs", "/");
>>>
>>> fclose(fout);
>>>
>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>> printf("Wrote policy, but cannot open %s for
>>> writing\n", ctxout);
>>> usage(argv[0]);
>>> }
>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW :
>>> "");
>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW
>>> : "");
>>> fclose(fout);
>>>
>>> return 0;
>>> --
>>> 2.20.1
>>>
>>
>>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:03 ` Stephen Smalley
2019-02-15 15:05 ` Stephen Smalley
@ 2019-02-15 15:15 ` Paul Moore
1 sibling, 0 replies; 29+ messages in thread
From: Paul Moore @ 2019-02-15 15:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Fri, Feb 15, 2019 at 10:03 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 2/15/19 10:00 AM, Paul Moore wrote:
> > On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> Add basic MLS policy support to mdp. Declares
> >> two sensitivities and two categories, defines
> >> mls constraints for all permissions requiring
> >> dominance (ala MCS), assigns the system-high
> >> level to initial SID contexts and the default user
> >> level, and assigns system-low level to filesystems.
> >>
> >> Also reworks the fs_use and genfscon rules to only
> >> generate rules for filesystems that are configured
> >> in the kernel. In some cases this depends on a specific
> >> config option for security xattrs, in other cases security
> >> xattrs are unconditionally supported by a given filesystem
> >> if the filesystem is enabled, and in some cases the filesystem
> >> is always enabled in the kernel. Dropped obsolete pseudo
> >> filesystems.
> >>
> >> NB The list of fs_use_* and genfscon rules emitted by mdp
> >> is very incomplete compared to refpolicy or Android sepolicy.
> >> We should probably expand it.
> >>
> >> Usage:
> >> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> >> checkpolicy -M -o policy policy.conf
> >>
> >> Then install the resulting policy and file_contexts as usual.
> >>
> >> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >> ---
> >> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
> >> collapse down to a single fprintf call per line.
> >> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
> >> 1 file changed, 103 insertions(+), 28 deletions(-)
> >
> > This is great Stephen, thanks for working on this - and rather quickly
> > too! For those who don't follow the GitHub issues, I just opened an
> > issue yesterday mentioning it would be nice to add MLS support to the
> > mdp tool.
> >
> > Are you planning to keep playing with this? I'm asking not because I
> > think it needs more work to be worthwhile, but rather I don't want to
> > merge something that you want to continue working on. If you are
> > happy with this latest patch I think it is okay to merge this into
> > selinux/next, even at this late stage, simply because it is not part
> > of a built kernel, but rather a developer's tool.
>
> No, I think I'm done for now unless you find a problem with it. Absent
> some compelling use case for mdp it is hard to justify spending any more
> time on it.
For the record, I think having something like mdp is important as a
simple, quick to parse (by human eyes) demonstration of a "complete"
SELinux policy. I recognize we could have a lot of good arguments
about what constitutes a "complete" SELinux policy, but for mdp let's
try to keep it as simple as possible for now.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:05 ` Stephen Smalley
@ 2019-02-15 15:18 ` Paul Moore
2019-02-15 15:25 ` Stephen Smalley
1 sibling, 0 replies; 29+ messages in thread
From: Paul Moore @ 2019-02-15 15:18 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Fri, Feb 15, 2019 at 10:05 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 2/15/19 10:03 AM, Stephen Smalley wrote:
> > On 2/15/19 10:00 AM, Paul Moore wrote:
> >> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov>
> >> wrote:
> >>> Add basic MLS policy support to mdp. Declares
> >>> two sensitivities and two categories, defines
> >>> mls constraints for all permissions requiring
> >>> dominance (ala MCS), assigns the system-high
> >>> level to initial SID contexts and the default user
> >>> level, and assigns system-low level to filesystems.
> >>>
> >>> Also reworks the fs_use and genfscon rules to only
> >>> generate rules for filesystems that are configured
> >>> in the kernel. In some cases this depends on a specific
> >>> config option for security xattrs, in other cases security
> >>> xattrs are unconditionally supported by a given filesystem
> >>> if the filesystem is enabled, and in some cases the filesystem
> >>> is always enabled in the kernel. Dropped obsolete pseudo
> >>> filesystems.
> >>>
> >>> NB The list of fs_use_* and genfscon rules emitted by mdp
> >>> is very incomplete compared to refpolicy or Android sepolicy.
> >>> We should probably expand it.
> >>>
> >>> Usage:
> >>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> >>> checkpolicy -M -o policy policy.conf
> >>>
> >>> Then install the resulting policy and file_contexts as usual.
> >>>
> >>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >>> ---
> >>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
> >>> collapse down to a single fprintf call per line.
> >>> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++--------
> >>> 1 file changed, 103 insertions(+), 28 deletions(-)
> >>
> >> This is great Stephen, thanks for working on this - and rather quickly
> >> too! For those who don't follow the GitHub issues, I just opened an
> >> issue yesterday mentioning it would be nice to add MLS support to the
> >> mdp tool.
> >>
> >> Are you planning to keep playing with this? I'm asking not because I
> >> think it needs more work to be worthwhile, but rather I don't want to
> >> merge something that you want to continue working on. If you are
> >> happy with this latest patch I think it is okay to merge this into
> >> selinux/next, even at this late stage, simply because it is not part
> >> of a built kernel, but rather a developer's tool.
> >
> > No, I think I'm done for now unless you find a problem with it. Absent
> > some compelling use case for mdp it is hard to justify spending any more
> > time on it.
>
> Note however that the instructions in
> Documentation/admin-guide/LSM/SELinux.rst just say to run
> scripts/selinux/install_policy.sh and since that doesn't pass -m to mdp
> or -M to checkpolicy, no one will use this support unless they do it all
> by hand.
Good point.
I tend to think that modifying the script to build MLS support by
default is probably a good thing, after all why go to the trouble of
adding MLS support to mdp? Anyone have a strong opinion against this?
Stephen, please feel free to submit a second patch adding support to
the install_policy.sh script, but if you don't have time I'll get to
that over the weekend.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:05 ` Stephen Smalley
2019-02-15 15:18 ` Paul Moore
@ 2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:37 ` Paul Moore
` (2 more replies)
1 sibling, 3 replies; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 15:25 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On 2/15/19 10:05 AM, Stephen Smalley wrote:
> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov>
>>> wrote:
>>>> Add basic MLS policy support to mdp. Declares
>>>> two sensitivities and two categories, defines
>>>> mls constraints for all permissions requiring
>>>> dominance (ala MCS), assigns the system-high
>>>> level to initial SID contexts and the default user
>>>> level, and assigns system-low level to filesystems.
>>>>
>>>> Also reworks the fs_use and genfscon rules to only
>>>> generate rules for filesystems that are configured
>>>> in the kernel. In some cases this depends on a specific
>>>> config option for security xattrs, in other cases security
>>>> xattrs are unconditionally supported by a given filesystem
>>>> if the filesystem is enabled, and in some cases the filesystem
>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>> filesystems.
>>>>
>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>> We should probably expand it.
>>>>
>>>> Usage:
>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>> checkpolicy -M -o policy policy.conf
>>>>
>>>> Then install the resulting policy and file_contexts as usual.
>>>>
>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>> ---
>>>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
>>>> collapse down to a single fprintf call per line.
>>>> scripts/selinux/mdp/mdp.c | 131
>>>> ++++++++++++++++++++++++++++++--------
>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>
>>> This is great Stephen, thanks for working on this - and rather quickly
>>> too! For those who don't follow the GitHub issues, I just opened an
>>> issue yesterday mentioning it would be nice to add MLS support to the
>>> mdp tool.
>>>
>>> Are you planning to keep playing with this? I'm asking not because I
>>> think it needs more work to be worthwhile, but rather I don't want to
>>> merge something that you want to continue working on. If you are
>>> happy with this latest patch I think it is okay to merge this into
>>> selinux/next, even at this late stage, simply because it is not part
>>> of a built kernel, but rather a developer's tool.
>>
>> No, I think I'm done for now unless you find a problem with it.
>> Absent some compelling use case for mdp it is hard to justify spending
>> any more time on it.
>
> Note however that the instructions in
> Documentation/admin-guide/LSM/SELinux.rst just say to run
> scripts/selinux/install_policy.sh and since that doesn't pass -m to mdp
> or -M to checkpolicy, no one will use this support unless they do it all
> by hand.
FWIW, a Fedora system wouldn't come up cleanly with this policy. Partly
appears to be due to systemd having embedded security contexts specific
to Fedora/refpolicy into its own configurations and partly due to MLS
denials. I don't even know if it would work before this change though...
>
>>
>>>
>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>> index 073fe7537f6c..4223e2fea441 100644
>>>> --- a/scripts/selinux/mdp/mdp.c
>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>> @@ -33,6 +33,7 @@
>>>> #include <unistd.h>
>>>> #include <string.h>
>>>> #include <sys/socket.h>
>>>> +#include <linux/kconfig.h>
>>>>
>>>> static void usage(char *name)
>>>> {
>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>> }
>>>> fprintf(fout, "\n");
>>>>
>>>> - /* NOW PRINT OUT MLS STUFF */
>>>> + /* print out mls declarations and constraints */
>>>> if (mls) {
>>>> - printf("MLS not yet implemented\n");
>>>> - exit(1);
>>>> + fprintf(fout, "sensitivity s0;\n");
>>>> + fprintf(fout, "sensitivity s1;\n");
>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>> + fprintf(fout, "category c0;\n");
>>>> + fprintf(fout, "category c1;\n");
>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>> +#define SYSTEMLOW "s0"
>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>> + struct security_class_mapping *map =
>>>> &secclass_map[i];
>>>> +
>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>> map->name);
>>>> + for (j = 0; map->perms[j]; j++)
>>>> + fprintf(fout, "\t%s\n", map->perms[j]);
>>>> + /*
>>>> + * This requires all subjects and objects to be
>>>> + * single-level (l2 eq h2), and that the
>>>> subject
>>>> + * level dominate the object level (h1 dom h2)
>>>> + * in order to have any permissions to it.
>>>> + */
>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>> h2);\n\n");
>>>> + }
>>>> }
>>>>
>>>> /* types, roles, and allows */
>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>> for (i = 0; secclass_map[i].name; i++)
>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>> secclass_map[i].name);
>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>> - fprintf(fout, "\n");
>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>> + if (mls)
>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>> + fprintf(fout, ";\n");
>>>> +
>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>
>>>> /* default sids */
>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>> initial_sid_to_string[i]);
>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>> + initial_sid_to_string[i], mls ? ":"
>>>> SYSTEMHIGH : "");
>>>> fprintf(fout, "\n");
>>>>
>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>> -
>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>> user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>> -
>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>> user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>> -
>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>> +#define FS_USE(behavior, fstype) \
>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>> +
>>>> + /*
>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>> + */
>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>> + FS_USE("xattr", "ext2");
>>>> +#endif
>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>> + FS_USE("xattr", "ext3");
>>>> +#endif
>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>> + FS_USE("xattr", "ext4");
>>>> +#endif
>>>> +#ifdef CONFIG_JFS_SECURITY
>>>> + FS_USE("xattr", "jfs");
>>>> +#endif
>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>> + FS_USE("xattr", "reiserfs");
>>>> +#endif
>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>> + FS_USE("xattr", "jffs2");
>>>> +#endif
>>>> +#ifdef CONFIG_XFS_FS
>>>> + FS_USE("xattr", "xfs");
>>>> +#endif
>>>> +#ifdef CONFIG_GFS2_FS
>>>> + FS_USE("xattr", "gfs2");
>>>> +#endif
>>>> +
>>>> + /*
>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>> + */
>>>> + FS_USE("task", "pipefs");
>>>> + FS_USE("task", "sockfs");
>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>> + FS_USE("task", "mqueue");
>>>> +#endif
>>>> +
>>>> + /*
>>>> + * Filesystems whose inode labels are computed from both
>>>> + * the allocating task and the superblock label.
>>>> + */
>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>> + FS_USE("trans", "devpts");
>>>> +#endif
>>>> +#ifdef CONFIG_HUGETLBFS
>>>> + FS_USE("trans", "hugetlbfs");
>>>> +#endif
>>>> +#ifdef CONFIG_TMPFS
>>>> + FS_USE("trans", "tmpfs");
>>>> +#endif
>>>> +
>>>> +
>>>> +#define GENFSCON(fstype, prefix) \
>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>> +
>>>> + /*
>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>> + * relative to the filesystem root. Depending on the
>>>> filesystem,
>>>> + * only a single label for all inodes may be supported.
>>>> + */
>>>> + GENFSCON("proc", "/");
>>>> + GENFSCON("selinuxfs", "/");
>>>>
>>>> fclose(fout);
>>>>
>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>> printf("Wrote policy, but cannot open %s for
>>>> writing\n", ctxout);
>>>> usage(argv[0]);
>>>> }
>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW
>>>> : "");
>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>> SYSTEMLOW : "");
>>>> fclose(fout);
>>>>
>>>> return 0;
>>>> --
>>>> 2.20.1
>>>>
>>>
>>>
>>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:25 ` Stephen Smalley
@ 2019-02-15 15:37 ` Paul Moore
2019-02-15 15:40 ` Stephen Smalley
2019-02-15 16:50 ` Dominick Grift
2 siblings, 0 replies; 29+ messages in thread
From: Paul Moore @ 2019-02-15 15:37 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Fri, Feb 15, 2019 at 10:25 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 2/15/19 10:05 AM, Stephen Smalley wrote:
> > On 2/15/19 10:03 AM, Stephen Smalley wrote:
> >> On 2/15/19 10:00 AM, Paul Moore wrote:
> >>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov>
> >>> wrote:
> >>>> Add basic MLS policy support to mdp. Declares
> >>>> two sensitivities and two categories, defines
> >>>> mls constraints for all permissions requiring
> >>>> dominance (ala MCS), assigns the system-high
> >>>> level to initial SID contexts and the default user
> >>>> level, and assigns system-low level to filesystems.
> >>>>
> >>>> Also reworks the fs_use and genfscon rules to only
> >>>> generate rules for filesystems that are configured
> >>>> in the kernel. In some cases this depends on a specific
> >>>> config option for security xattrs, in other cases security
> >>>> xattrs are unconditionally supported by a given filesystem
> >>>> if the filesystem is enabled, and in some cases the filesystem
> >>>> is always enabled in the kernel. Dropped obsolete pseudo
> >>>> filesystems.
> >>>>
> >>>> NB The list of fs_use_* and genfscon rules emitted by mdp
> >>>> is very incomplete compared to refpolicy or Android sepolicy.
> >>>> We should probably expand it.
> >>>>
> >>>> Usage:
> >>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> >>>> checkpolicy -M -o policy policy.conf
> >>>>
> >>>> Then install the resulting policy and file_contexts as usual.
> >>>>
> >>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >>>> ---
> >>>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
> >>>> collapse down to a single fprintf call per line.
> >>>> scripts/selinux/mdp/mdp.c | 131
> >>>> ++++++++++++++++++++++++++++++--------
> >>>> 1 file changed, 103 insertions(+), 28 deletions(-)
> >>>
> >>> This is great Stephen, thanks for working on this - and rather quickly
> >>> too! For those who don't follow the GitHub issues, I just opened an
> >>> issue yesterday mentioning it would be nice to add MLS support to the
> >>> mdp tool.
> >>>
> >>> Are you planning to keep playing with this? I'm asking not because I
> >>> think it needs more work to be worthwhile, but rather I don't want to
> >>> merge something that you want to continue working on. If you are
> >>> happy with this latest patch I think it is okay to merge this into
> >>> selinux/next, even at this late stage, simply because it is not part
> >>> of a built kernel, but rather a developer's tool.
> >>
> >> No, I think I'm done for now unless you find a problem with it.
> >> Absent some compelling use case for mdp it is hard to justify spending
> >> any more time on it.
> >
> > Note however that the instructions in
> > Documentation/admin-guide/LSM/SELinux.rst just say to run
> > scripts/selinux/install_policy.sh and since that doesn't pass -m to mdp
> > or -M to checkpolicy, no one will use this support unless they do it all
> > by hand.
>
> FWIW, a Fedora system wouldn't come up cleanly with this policy. Partly
> appears to be due to systemd having embedded security contexts specific
> to Fedora/refpolicy into its own configurations and partly due to MLS
> denials. I don't even know if it would work before this change though...
Providing a usable policy for Fedora via mdp, while nice, isn't really
the main goal with mdp as far as I'm concerned (see my other
response). As you pointed out, I'd be surprised if the current,
unpatched mdp policy would work on Fedora.
Regardless, it might be nice to add a warning about that in the
SELinux.rst file, along with changes to the install_policy.sh script
to enable MLS.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:37 ` Paul Moore
@ 2019-02-15 15:40 ` Stephen Smalley
2019-02-15 16:52 ` Dominick Grift
2019-02-15 16:50 ` Dominick Grift
2 siblings, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 15:40 UTC (permalink / raw)
To: Paul Moore; +Cc: selinux
On 2/15/19 10:25 AM, Stephen Smalley wrote:
> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@tycho.nsa.gov>
>>>> wrote:
>>>>> Add basic MLS policy support to mdp. Declares
>>>>> two sensitivities and two categories, defines
>>>>> mls constraints for all permissions requiring
>>>>> dominance (ala MCS), assigns the system-high
>>>>> level to initial SID contexts and the default user
>>>>> level, and assigns system-low level to filesystems.
>>>>>
>>>>> Also reworks the fs_use and genfscon rules to only
>>>>> generate rules for filesystems that are configured
>>>>> in the kernel. In some cases this depends on a specific
>>>>> config option for security xattrs, in other cases security
>>>>> xattrs are unconditionally supported by a given filesystem
>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>> filesystems.
>>>>>
>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>> We should probably expand it.
>>>>>
>>>>> Usage:
>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>> checkpolicy -M -o policy policy.conf
>>>>>
>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>
>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>> ---
>>>>> v3 fixes up the file contexts generation code to also use SYSTEMLOW
>>>>> and
>>>>> collapse down to a single fprintf call per line.
>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>> ++++++++++++++++++++++++++++++--------
>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>
>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>> mdp tool.
>>>>
>>>> Are you planning to keep playing with this? I'm asking not because I
>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>> merge something that you want to continue working on. If you are
>>>> happy with this latest patch I think it is okay to merge this into
>>>> selinux/next, even at this late stage, simply because it is not part
>>>> of a built kernel, but rather a developer's tool.
>>>
>>> No, I think I'm done for now unless you find a problem with it.
>>> Absent some compelling use case for mdp it is hard to justify
>>> spending any more time on it.
>>
>> Note however that the instructions in
>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>> mdp or -M to checkpolicy, no one will use this support unless they do
>> it all by hand.
>
> FWIW, a Fedora system wouldn't come up cleanly with this policy. Partly
> appears to be due to systemd having embedded security contexts specific
> to Fedora/refpolicy into its own configurations and partly due to MLS
> denials. I don't even know if it would work before this change though...
Couldn't seem to get a mdp-generated policy to boot on Fedora even in
permissive, before or after this change. I assume it has to do with
leaking of contexts outside of the policy and/or missing config files
from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
systemd_contexts and other userspace config files that don't exist in
the mdp policy). More evidence of the irrelevance of mdp...
>
>>
>>>
>>>>
>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>> @@ -33,6 +33,7 @@
>>>>> #include <unistd.h>
>>>>> #include <string.h>
>>>>> #include <sys/socket.h>
>>>>> +#include <linux/kconfig.h>
>>>>>
>>>>> static void usage(char *name)
>>>>> {
>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>> }
>>>>> fprintf(fout, "\n");
>>>>>
>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>> + /* print out mls declarations and constraints */
>>>>> if (mls) {
>>>>> - printf("MLS not yet implemented\n");
>>>>> - exit(1);
>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>> + fprintf(fout, "category c0;\n");
>>>>> + fprintf(fout, "category c1;\n");
>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>> +#define SYSTEMLOW "s0"
>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>> + struct security_class_mapping *map =
>>>>> &secclass_map[i];
>>>>> +
>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>> map->name);
>>>>> + for (j = 0; map->perms[j]; j++)
>>>>> + fprintf(fout, "\t%s\n",
>>>>> map->perms[j]);
>>>>> + /*
>>>>> + * This requires all subjects and objects
>>>>> to be
>>>>> + * single-level (l2 eq h2), and that the
>>>>> subject
>>>>> + * level dominate the object level (h1 dom h2)
>>>>> + * in order to have any permissions to it.
>>>>> + */
>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>> h2);\n\n");
>>>>> + }
>>>>> }
>>>>>
>>>>> /* types, roles, and allows */
>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>> secclass_map[i].name);
>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>> - fprintf(fout, "\n");
>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>> + if (mls)
>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>> + fprintf(fout, ";\n");
>>>>> +
>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>
>>>>> /* default sids */
>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>> initial_sid_to_string[i]);
>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>> SYSTEMHIGH : "");
>>>>> fprintf(fout, "\n");
>>>>>
>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr reiserfs
>>>>> user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>> user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>> user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>> +#define FS_USE(behavior, fstype) \
>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>> + */
>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>> + FS_USE("xattr", "ext2");
>>>>> +#endif
>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>> + FS_USE("xattr", "ext3");
>>>>> +#endif
>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>> + FS_USE("xattr", "ext4");
>>>>> +#endif
>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>> + FS_USE("xattr", "jfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>> + FS_USE("xattr", "reiserfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>> + FS_USE("xattr", "jffs2");
>>>>> +#endif
>>>>> +#ifdef CONFIG_XFS_FS
>>>>> + FS_USE("xattr", "xfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_GFS2_FS
>>>>> + FS_USE("xattr", "gfs2");
>>>>> +#endif
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>> + */
>>>>> + FS_USE("task", "pipefs");
>>>>> + FS_USE("task", "sockfs");
>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>> + FS_USE("task", "mqueue");
>>>>> +#endif
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inode labels are computed from both
>>>>> + * the allocating task and the superblock label.
>>>>> + */
>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>> + FS_USE("trans", "devpts");
>>>>> +#endif
>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>> + FS_USE("trans", "hugetlbfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_TMPFS
>>>>> + FS_USE("trans", "tmpfs");
>>>>> +#endif
>>>>> +
>>>>> +
>>>>> +#define GENFSCON(fstype, prefix) \
>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>> + * relative to the filesystem root. Depending on the
>>>>> filesystem,
>>>>> + * only a single label for all inodes may be supported.
>>>>> + */
>>>>> + GENFSCON("proc", "/");
>>>>> + GENFSCON("selinuxfs", "/");
>>>>>
>>>>> fclose(fout);
>>>>>
>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>> printf("Wrote policy, but cannot open %s for
>>>>> writing\n", ctxout);
>>>>> usage(argv[0]);
>>>>> }
>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":" SYSTEMLOW
>>>>> : "");
>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>> SYSTEMLOW : "");
>>>>> fclose(fout);
>>>>>
>>>>> return 0;
>>>>> --
>>>>> 2.20.1
>>>>>
>>>>
>>>>
>>>
>>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:37 ` Paul Moore
2019-02-15 15:40 ` Stephen Smalley
@ 2019-02-15 16:50 ` Dominick Grift
2 siblings, 0 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 16:50 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>> <sds@tycho.nsa.gov> wrote:
>>>>> Add basic MLS policy support to mdp. Declares
>>>>> two sensitivities and two categories, defines
>>>>> mls constraints for all permissions requiring
>>>>> dominance (ala MCS), assigns the system-high
>>>>> level to initial SID contexts and the default user
>>>>> level, and assigns system-low level to filesystems.
>>>>>
>>>>> Also reworks the fs_use and genfscon rules to only
>>>>> generate rules for filesystems that are configured
>>>>> in the kernel. In some cases this depends on a specific
>>>>> config option for security xattrs, in other cases security
>>>>> xattrs are unconditionally supported by a given filesystem
>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>> filesystems.
>>>>>
>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>> We should probably expand it.
>>>>>
>>>>> Usage:
>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>> checkpolicy -M -o policy policy.conf
>>>>>
>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>
>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>> ---
>>>>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and
>>>>> collapse down to a single fprintf call per line.
>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>> ++++++++++++++++++++++++++++++--------
>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>
>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>> mdp tool.
>>>>
>>>> Are you planning to keep playing with this? I'm asking not because I
>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>> merge something that you want to continue working on. If you are
>>>> happy with this latest patch I think it is okay to merge this into
>>>> selinux/next, even at this late stage, simply because it is not part
>>>> of a built kernel, but rather a developer's tool.
>>>
>>> No, I think I'm done for now unless you find a problem with it.
>>> Absent some compelling use case for mdp it is hard to justify
>>> spending any more time on it.
>>
>> Note however that the instructions in
>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>> mdp or -M to checkpolicy, no one will use this support unless they
>> do it all by hand.
>
> FWIW, a Fedora system wouldn't come up cleanly with this policy.
> Partly appears to be due to systemd having embedded security contexts
> specific to Fedora/refpolicy into its own configurations and partly
> due to MLS denials. I don't even know if it would work before this
> change though...
Interesting. Can you be more specific? I can boot my dssp2 policy on
fedora just fine.
The only thing you might want to do is relabeling the underlying
mountpoints. Beccause if you install mdp and then relabel the
filesystem, there are a lot of filesystems mounted over mislabeled
mountpoints
you'd do a bind --mount / /mnt
And then label those there. Example from dssp2:
When installing dssp2-standard on an existing fedora installation some contexts of directories in the root filesystem become invalid
mount --bind / /mnt
chcon -u sys.id -r sys.role -t fs.sysfs.fs /mnt/sys
chcon -u sys.id -r sys.role -t files.generic_runtime.runtime_file /mnt/run
chcon -u sys.id -r sys.role -t files.home.file /mnt/home
chcon -u sys.id -r sys.role -t fs.proc.fs /mnt/proc
chcon -u sys.id -r sys.role -t fs.devtmpfs.fs /mnt/dev
chcon -u sys.id -r sys.role -t files.generic_boot.boot_file /mnt/boot
chcon -R -u sys.id -r sys.role -t fs.tmpfs.fs /mnt/tmp
setenforce 0
rm -f /mnt/tmp/ks-script-*
setenforce 1
umount /mnt
umount /boot/efi
restorecon -RF /boot/efi
mount /dev/sda1 /boot/efi
setsebool -P sys.mounton_invalid_dir off
>
>>
>>>
>>>>
>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>> @@ -33,6 +33,7 @@
>>>>> #include <unistd.h>
>>>>> #include <string.h>
>>>>> #include <sys/socket.h>
>>>>> +#include <linux/kconfig.h>
>>>>>
>>>>> static void usage(char *name)
>>>>> {
>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>> }
>>>>> fprintf(fout, "\n");
>>>>>
>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>> + /* print out mls declarations and constraints */
>>>>> if (mls) {
>>>>> - printf("MLS not yet implemented\n");
>>>>> - exit(1);
>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>> + fprintf(fout, "category c0;\n");
>>>>> + fprintf(fout, "category c1;\n");
>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>> +#define SYSTEMLOW "s0"
>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>> + struct security_class_mapping *map =
>>>>> &secclass_map[i];
>>>>> +
>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>> map->name);
>>>>> + for (j = 0; map->perms[j]; j++)
>>>>> + fprintf(fout, "\t%s\n", map->perms[j]);
>>>>> + /*
>>>>> + * This requires all subjects and objects to be
>>>>> + * single-level (l2 eq h2), and that the
>>>>> subject
>>>>> + * level dominate the object level (h1 dom h2)
>>>>> + * in order to have any permissions to it.
>>>>> + */
>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>> h2);\n\n");
>>>>> + }
>>>>> }
>>>>>
>>>>> /* types, roles, and allows */
>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>> secclass_map[i].name);
>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>> - fprintf(fout, "\n");
>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>> + if (mls)
>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>> + fprintf(fout, ";\n");
>>>>> +
>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>
>>>>> /* default sids */
>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>> initial_sid_to_string[i]);
>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>> SYSTEMHIGH : "");
>>>>> fprintf(fout, "\n");
>>>>>
>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>> user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>> user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>> -
>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>> +#define FS_USE(behavior, fstype) \
>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>> + */
>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>> + FS_USE("xattr", "ext2");
>>>>> +#endif
>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>> + FS_USE("xattr", "ext3");
>>>>> +#endif
>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>> + FS_USE("xattr", "ext4");
>>>>> +#endif
>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>> + FS_USE("xattr", "jfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>> + FS_USE("xattr", "reiserfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>> + FS_USE("xattr", "jffs2");
>>>>> +#endif
>>>>> +#ifdef CONFIG_XFS_FS
>>>>> + FS_USE("xattr", "xfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_GFS2_FS
>>>>> + FS_USE("xattr", "gfs2");
>>>>> +#endif
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>> + */
>>>>> + FS_USE("task", "pipefs");
>>>>> + FS_USE("task", "sockfs");
>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>> + FS_USE("task", "mqueue");
>>>>> +#endif
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inode labels are computed from both
>>>>> + * the allocating task and the superblock label.
>>>>> + */
>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>> + FS_USE("trans", "devpts");
>>>>> +#endif
>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>> + FS_USE("trans", "hugetlbfs");
>>>>> +#endif
>>>>> +#ifdef CONFIG_TMPFS
>>>>> + FS_USE("trans", "tmpfs");
>>>>> +#endif
>>>>> +
>>>>> +
>>>>> +#define GENFSCON(fstype, prefix) \
>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>> +
>>>>> + /*
>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>> + * relative to the filesystem root. Depending on the
>>>>> filesystem,
>>>>> + * only a single label for all inodes may be supported.
>>>>> + */
>>>>> + GENFSCON("proc", "/");
>>>>> + GENFSCON("selinuxfs", "/");
>>>>>
>>>>> fclose(fout);
>>>>>
>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>> printf("Wrote policy, but cannot open %s for
>>>>> writing\n", ctxout);
>>>>> usage(argv[0]);
>>>>> }
>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":"
>>>>> SYSTEMLOW : "");
>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>> SYSTEMLOW : "");
>>>>> fclose(fout);
>>>>>
>>>>> return 0;
>>>>> --
>>>>> 2.20.1
>>>>>
>>>>
>>>>
>>>
>>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 15:40 ` Stephen Smalley
@ 2019-02-15 16:52 ` Dominick Grift
2019-02-15 17:16 ` Stephen Smalley
2019-02-15 17:24 ` Dominick Grift
0 siblings, 2 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 16:52 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>> two sensitivities and two categories, defines
>>>>>> mls constraints for all permissions requiring
>>>>>> dominance (ala MCS), assigns the system-high
>>>>>> level to initial SID contexts and the default user
>>>>>> level, and assigns system-low level to filesystems.
>>>>>>
>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>> generate rules for filesystems that are configured
>>>>>> in the kernel. In some cases this depends on a specific
>>>>>> config option for security xattrs, in other cases security
>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>> filesystems.
>>>>>>
>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>> We should probably expand it.
>>>>>>
>>>>>> Usage:
>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>
>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>
>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>> ---
>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>> SYSTEMLOW and
>>>>>> collapse down to a single fprintf call per line.
>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>
>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>> mdp tool.
>>>>>
>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>> merge something that you want to continue working on. If you are
>>>>> happy with this latest patch I think it is okay to merge this into
>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>> of a built kernel, but rather a developer's tool.
>>>>
>>>> No, I think I'm done for now unless you find a problem with
>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>> spending any more time on it.
>>>
>>> Note however that the instructions in
>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>> mdp or -M to checkpolicy, no one will use this support unless they
>>> do it all by hand.
>>
>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>> Partly appears to be due to systemd having embedded security
>> contexts specific to Fedora/refpolicy into its own configurations
>> and partly due to MLS denials. I don't even know if it would work
>> before this change though...
>
> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
> permissive, before or after this change. I assume it has to do with
> leaking of contexts outside of the policy and/or missing config files
> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
> systemd_contexts and other userspace config files that don't exist in
> the mdp policy). More evidence of the irrelevance of mdp...
Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
start without it, and these day's without dbus no system
>
>>
>>>
>>>>
>>>>>
>>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>>> @@ -33,6 +33,7 @@
>>>>>> #include <unistd.h>
>>>>>> #include <string.h>
>>>>>> #include <sys/socket.h>
>>>>>> +#include <linux/kconfig.h>
>>>>>>
>>>>>> static void usage(char *name)
>>>>>> {
>>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>>> }
>>>>>> fprintf(fout, "\n");
>>>>>>
>>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>>> + /* print out mls declarations and constraints */
>>>>>> if (mls) {
>>>>>> - printf("MLS not yet implemented\n");
>>>>>> - exit(1);
>>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>>> + fprintf(fout, "category c0;\n");
>>>>>> + fprintf(fout, "category c1;\n");
>>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>>> +#define SYSTEMLOW "s0"
>>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>>> + struct security_class_mapping *map =
>>>>>> &secclass_map[i];
>>>>>> +
>>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>>> map->name);
>>>>>> + for (j = 0; map->perms[j]; j++)
>>>>>> + fprintf(fout, "\t%s\n",
>>>>>> map->perms[j]);
>>>>>> + /*
>>>>>> + * This requires all subjects and
>>>>>> objects to be
>>>>>> + * single-level (l2 eq h2), and that the
>>>>>> subject
>>>>>> + * level dominate the object level (h1 dom h2)
>>>>>> + * in order to have any permissions to it.
>>>>>> + */
>>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>>> h2);\n\n");
>>>>>> + }
>>>>>> }
>>>>>>
>>>>>> /* types, roles, and allows */
>>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>>> secclass_map[i].name);
>>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>>> - fprintf(fout, "\n");
>>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>>> + if (mls)
>>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>>> + fprintf(fout, ";\n");
>>>>>> +
>>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>>
>>>>>> /* default sids */
>>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>>> initial_sid_to_string[i]);
>>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>>> SYSTEMHIGH : "");
>>>>>> fprintf(fout, "\n");
>>>>>>
>>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr reiserfs
>>>>>> user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>>> -
>>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>>> user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>>> -
>>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>>> user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>>> -
>>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>>> +#define FS_USE(behavior, fstype) \
>>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>>> +
>>>>>> + /*
>>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>>> + */
>>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>>> + FS_USE("xattr", "ext2");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>>> + FS_USE("xattr", "ext3");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>>> + FS_USE("xattr", "ext4");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>>> + FS_USE("xattr", "jfs");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>>> + FS_USE("xattr", "reiserfs");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>>> + FS_USE("xattr", "jffs2");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_XFS_FS
>>>>>> + FS_USE("xattr", "xfs");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_GFS2_FS
>>>>>> + FS_USE("xattr", "gfs2");
>>>>>> +#endif
>>>>>> +
>>>>>> + /*
>>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>>> + */
>>>>>> + FS_USE("task", "pipefs");
>>>>>> + FS_USE("task", "sockfs");
>>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>>> + FS_USE("task", "mqueue");
>>>>>> +#endif
>>>>>> +
>>>>>> + /*
>>>>>> + * Filesystems whose inode labels are computed from both
>>>>>> + * the allocating task and the superblock label.
>>>>>> + */
>>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>>> + FS_USE("trans", "devpts");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>>> + FS_USE("trans", "hugetlbfs");
>>>>>> +#endif
>>>>>> +#ifdef CONFIG_TMPFS
>>>>>> + FS_USE("trans", "tmpfs");
>>>>>> +#endif
>>>>>> +
>>>>>> +
>>>>>> +#define GENFSCON(fstype, prefix) \
>>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>>> +
>>>>>> + /*
>>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>>> + * relative to the filesystem root. Depending on the
>>>>>> filesystem,
>>>>>> + * only a single label for all inodes may be supported.
>>>>>> + */
>>>>>> + GENFSCON("proc", "/");
>>>>>> + GENFSCON("selinuxfs", "/");
>>>>>>
>>>>>> fclose(fout);
>>>>>>
>>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>>> printf("Wrote policy, but cannot open %s for
>>>>>> writing\n", ctxout);
>>>>>> usage(argv[0]);
>>>>>> }
>>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":"
>>>>>> SYSTEMLOW : "");
>>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>>> SYSTEMLOW : "");
>>>>>> fclose(fout);
>>>>>>
>>>>>> return 0;
>>>>>> --
>>>>>> 2.20.1
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 16:52 ` Dominick Grift
@ 2019-02-15 17:16 ` Stephen Smalley
2019-02-15 17:19 ` Dominick Grift
2019-02-15 17:24 ` Dominick Grift
1 sibling, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 17:16 UTC (permalink / raw)
To: Dominick Grift; +Cc: Paul Moore, selinux
On 2/15/19 11:52 AM, Dominick Grift wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>> two sensitivities and two categories, defines
>>>>>>> mls constraints for all permissions requiring
>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>> level to initial SID contexts and the default user
>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>
>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>> generate rules for filesystems that are configured
>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>> config option for security xattrs, in other cases security
>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>> filesystems.
>>>>>>>
>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>> We should probably expand it.
>>>>>>>
>>>>>>> Usage:
>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>
>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>
>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>> ---
>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>> SYSTEMLOW and
>>>>>>> collapse down to a single fprintf call per line.
>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>
>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>> mdp tool.
>>>>>>
>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>> merge something that you want to continue working on. If you are
>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>> of a built kernel, but rather a developer's tool.
>>>>>
>>>>> No, I think I'm done for now unless you find a problem with
>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>> spending any more time on it.
>>>>
>>>> Note however that the instructions in
>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>> do it all by hand.
>>>
>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>> Partly appears to be due to systemd having embedded security
>>> contexts specific to Fedora/refpolicy into its own configurations
>>> and partly due to MLS denials. I don't even know if it would work
>>> before this change though...
>>
>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>> permissive, before or after this change. I assume it has to do with
>> leaking of contexts outside of the policy and/or missing config files
>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>> systemd_contexts and other userspace config files that don't exist in
>> the mdp policy). More evidence of the irrelevance of mdp...
>
> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
> start without it, and these day's without dbus no system
There is actually a dbus_contexts file provided for mdp
(scripts/selinux/mdp/dbus_contexts) but not a systemd_contexts or any
other *_contexts files besides file_contexts.
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>>>> @@ -33,6 +33,7 @@
>>>>>>> #include <unistd.h>
>>>>>>> #include <string.h>
>>>>>>> #include <sys/socket.h>
>>>>>>> +#include <linux/kconfig.h>
>>>>>>>
>>>>>>> static void usage(char *name)
>>>>>>> {
>>>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>>>> }
>>>>>>> fprintf(fout, "\n");
>>>>>>>
>>>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>>>> + /* print out mls declarations and constraints */
>>>>>>> if (mls) {
>>>>>>> - printf("MLS not yet implemented\n");
>>>>>>> - exit(1);
>>>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>>>> + fprintf(fout, "category c0;\n");
>>>>>>> + fprintf(fout, "category c1;\n");
>>>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>>>> +#define SYSTEMLOW "s0"
>>>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>>>> + struct security_class_mapping *map =
>>>>>>> &secclass_map[i];
>>>>>>> +
>>>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>>>> map->name);
>>>>>>> + for (j = 0; map->perms[j]; j++)
>>>>>>> + fprintf(fout, "\t%s\n",
>>>>>>> map->perms[j]);
>>>>>>> + /*
>>>>>>> + * This requires all subjects and
>>>>>>> objects to be
>>>>>>> + * single-level (l2 eq h2), and that the
>>>>>>> subject
>>>>>>> + * level dominate the object level (h1 dom h2)
>>>>>>> + * in order to have any permissions to it.
>>>>>>> + */
>>>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>>>> h2);\n\n");
>>>>>>> + }
>>>>>>> }
>>>>>>>
>>>>>>> /* types, roles, and allows */
>>>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>>>> secclass_map[i].name);
>>>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>>>> - fprintf(fout, "\n");
>>>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>>>> + if (mls)
>>>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>>>> + fprintf(fout, ";\n");
>>>>>>> +
>>>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>>>
>>>>>>> /* default sids */
>>>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>>>> initial_sid_to_string[i]);
>>>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>>>> SYSTEMHIGH : "");
>>>>>>> fprintf(fout, "\n");
>>>>>>>
>>>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr reiserfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>>>> +#define FS_USE(behavior, fstype) \
>>>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>>>> + */
>>>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext2");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext3");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext4");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>>>> + FS_USE("xattr", "jfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>>>> + FS_USE("xattr", "reiserfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>>>> + FS_USE("xattr", "jffs2");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_XFS_FS
>>>>>>> + FS_USE("xattr", "xfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_GFS2_FS
>>>>>>> + FS_USE("xattr", "gfs2");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>>>> + */
>>>>>>> + FS_USE("task", "pipefs");
>>>>>>> + FS_USE("task", "sockfs");
>>>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>>>> + FS_USE("task", "mqueue");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inode labels are computed from both
>>>>>>> + * the allocating task and the superblock label.
>>>>>>> + */
>>>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>>>> + FS_USE("trans", "devpts");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>>>> + FS_USE("trans", "hugetlbfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_TMPFS
>>>>>>> + FS_USE("trans", "tmpfs");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> +
>>>>>>> +#define GENFSCON(fstype, prefix) \
>>>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>>>> + * relative to the filesystem root. Depending on the
>>>>>>> filesystem,
>>>>>>> + * only a single label for all inodes may be supported.
>>>>>>> + */
>>>>>>> + GENFSCON("proc", "/");
>>>>>>> + GENFSCON("selinuxfs", "/");
>>>>>>>
>>>>>>> fclose(fout);
>>>>>>>
>>>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>>>> printf("Wrote policy, but cannot open %s for
>>>>>>> writing\n", ctxout);
>>>>>>> usage(argv[0]);
>>>>>>> }
>>>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":"
>>>>>>> SYSTEMLOW : "");
>>>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>>>> SYSTEMLOW : "");
>>>>>>> fclose(fout);
>>>>>>>
>>>>>>> return 0;
>>>>>>> --
>>>>>>> 2.20.1
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 17:16 ` Stephen Smalley
@ 2019-02-15 17:19 ` Dominick Grift
0 siblings, 0 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 17:19 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 2/15/19 11:52 AM, Dominick Grift wrote:
>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>
>>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>>> two sensitivities and two categories, defines
>>>>>>>> mls constraints for all permissions requiring
>>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>>> level to initial SID contexts and the default user
>>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>>
>>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>>> generate rules for filesystems that are configured
>>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>>> config option for security xattrs, in other cases security
>>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>>> filesystems.
>>>>>>>>
>>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>>> We should probably expand it.
>>>>>>>>
>>>>>>>> Usage:
>>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>>
>>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>>
>>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>>> ---
>>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>>> SYSTEMLOW and
>>>>>>>> collapse down to a single fprintf call per line.
>>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>>
>>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>>> mdp tool.
>>>>>>>
>>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>>> merge something that you want to continue working on. If you are
>>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>>> of a built kernel, but rather a developer's tool.
>>>>>>
>>>>>> No, I think I'm done for now unless you find a problem with
>>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>>> spending any more time on it.
>>>>>
>>>>> Note however that the instructions in
>>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>>> do it all by hand.
>>>>
>>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>>> Partly appears to be due to systemd having embedded security
>>>> contexts specific to Fedora/refpolicy into its own configurations
>>>> and partly due to MLS denials. I don't even know if it would work
>>>> before this change though...
>>>
>>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>>> permissive, before or after this change. I assume it has to do with
>>> leaking of contexts outside of the policy and/or missing config files
>>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>>> systemd_contexts and other userspace config files that don't exist in
>>> the mdp policy). More evidence of the irrelevance of mdp...
>>
>> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>> start without it, and these day's without dbus no system
>
> There is actually a dbus_contexts file provided for mdp
> (scripts/selinux/mdp/dbus_contexts) but not a systemd_contexts or any
> other *_contexts files besides file_contexts.
There is no systemd_contexts, that never made it through. any references
to that in libsemanage can be removed.
I suppose it might be related to no dbus and systemd access vector
support. maybe that upsets dbus and/or systemd
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>>>>> @@ -33,6 +33,7 @@
>>>>>>>> #include <unistd.h>
>>>>>>>> #include <string.h>
>>>>>>>> #include <sys/socket.h>
>>>>>>>> +#include <linux/kconfig.h>
>>>>>>>>
>>>>>>>> static void usage(char *name)
>>>>>>>> {
>>>>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>>>>> }
>>>>>>>> fprintf(fout, "\n");
>>>>>>>>
>>>>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>>>>> + /* print out mls declarations and constraints */
>>>>>>>> if (mls) {
>>>>>>>> - printf("MLS not yet implemented\n");
>>>>>>>> - exit(1);
>>>>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>>>>> + fprintf(fout, "category c0;\n");
>>>>>>>> + fprintf(fout, "category c1;\n");
>>>>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>>>>> +#define SYSTEMLOW "s0"
>>>>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>>>>> + struct security_class_mapping *map =
>>>>>>>> &secclass_map[i];
>>>>>>>> +
>>>>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>>>>> map->name);
>>>>>>>> + for (j = 0; map->perms[j]; j++)
>>>>>>>> + fprintf(fout, "\t%s\n",
>>>>>>>> map->perms[j]);
>>>>>>>> + /*
>>>>>>>> + * This requires all subjects and
>>>>>>>> objects to be
>>>>>>>> + * single-level (l2 eq h2), and that the
>>>>>>>> subject
>>>>>>>> + * level dominate the object level (h1 dom h2)
>>>>>>>> + * in order to have any permissions to it.
>>>>>>>> + */
>>>>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>>>>> h2);\n\n");
>>>>>>>> + }
>>>>>>>> }
>>>>>>>>
>>>>>>>> /* types, roles, and allows */
>>>>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>>>>> secclass_map[i].name);
>>>>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>>>>> - fprintf(fout, "\n");
>>>>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>>>>> + if (mls)
>>>>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>>>>> + fprintf(fout, ";\n");
>>>>>>>> +
>>>>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>>>>
>>>>>>>> /* default sids */
>>>>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>>>>> initial_sid_to_string[i]);
>>>>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>>>>> SYSTEMHIGH : "");
>>>>>>>> fprintf(fout, "\n");
>>>>>>>>
>>>>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr reiserfs
>>>>>>>> user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>>>>> -
>>>>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>>>>> user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>>>>> -
>>>>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>>>>> user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>>>>> -
>>>>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>>>>> +#define FS_USE(behavior, fstype) \
>>>>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>>>>> + */
>>>>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>>>>> + FS_USE("xattr", "ext2");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>>>>> + FS_USE("xattr", "ext3");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>>>>> + FS_USE("xattr", "ext4");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>>>>> + FS_USE("xattr", "jfs");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>>>>> + FS_USE("xattr", "reiserfs");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>>>>> + FS_USE("xattr", "jffs2");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_XFS_FS
>>>>>>>> + FS_USE("xattr", "xfs");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_GFS2_FS
>>>>>>>> + FS_USE("xattr", "gfs2");
>>>>>>>> +#endif
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>>>>> + */
>>>>>>>> + FS_USE("task", "pipefs");
>>>>>>>> + FS_USE("task", "sockfs");
>>>>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>>>>> + FS_USE("task", "mqueue");
>>>>>>>> +#endif
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Filesystems whose inode labels are computed from both
>>>>>>>> + * the allocating task and the superblock label.
>>>>>>>> + */
>>>>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>>>>> + FS_USE("trans", "devpts");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>>>>> + FS_USE("trans", "hugetlbfs");
>>>>>>>> +#endif
>>>>>>>> +#ifdef CONFIG_TMPFS
>>>>>>>> + FS_USE("trans", "tmpfs");
>>>>>>>> +#endif
>>>>>>>> +
>>>>>>>> +
>>>>>>>> +#define GENFSCON(fstype, prefix) \
>>>>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>>>>> +
>>>>>>>> + /*
>>>>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>>>>> + * relative to the filesystem root. Depending on the
>>>>>>>> filesystem,
>>>>>>>> + * only a single label for all inodes may be supported.
>>>>>>>> + */
>>>>>>>> + GENFSCON("proc", "/");
>>>>>>>> + GENFSCON("selinuxfs", "/");
>>>>>>>>
>>>>>>>> fclose(fout);
>>>>>>>>
>>>>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>>>>> printf("Wrote policy, but cannot open %s for
>>>>>>>> writing\n", ctxout);
>>>>>>>> usage(argv[0]);
>>>>>>>> }
>>>>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":"
>>>>>>>> SYSTEMLOW : "");
>>>>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>>>>> SYSTEMLOW : "");
>>>>>>>> fclose(fout);
>>>>>>>>
>>>>>>>> return 0;
>>>>>>>> --
>>>>>>>> 2.20.1
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 16:52 ` Dominick Grift
2019-02-15 17:16 ` Stephen Smalley
@ 2019-02-15 17:24 ` Dominick Grift
2019-02-15 19:11 ` Paul Moore
1 sibling, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 17:24 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
Dominick Grift <dac.override@gmail.com> writes:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>> two sensitivities and two categories, defines
>>>>>>> mls constraints for all permissions requiring
>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>> level to initial SID contexts and the default user
>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>
>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>> generate rules for filesystems that are configured
>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>> config option for security xattrs, in other cases security
>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>> filesystems.
>>>>>>>
>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>> We should probably expand it.
>>>>>>>
>>>>>>> Usage:
>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>
>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>
>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>> ---
>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>> SYSTEMLOW and
>>>>>>> collapse down to a single fprintf call per line.
>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>
>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>> mdp tool.
>>>>>>
>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>> merge something that you want to continue working on. If you are
>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>> of a built kernel, but rather a developer's tool.
>>>>>
>>>>> No, I think I'm done for now unless you find a problem with
>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>> spending any more time on it.
>>>>
>>>> Note however that the instructions in
>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>> do it all by hand.
>>>
>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>> Partly appears to be due to systemd having embedded security
>>> contexts specific to Fedora/refpolicy into its own configurations
>>> and partly due to MLS denials. I don't even know if it would work
>>> before this change though...
>>
>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>> permissive, before or after this change. I assume it has to do with
>> leaking of contexts outside of the policy and/or missing config files
>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>> systemd_contexts and other userspace config files that don't exist in
>> the mdp policy). More evidence of the irrelevance of mdp...
>
> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
> start without it, and these day's without dbus no system
My dssp2-minimal [1] policy is my alternative to mdp.
https://github.com/DefenSec/dssp2-minimal
It is not quite as simple as mpd but it think it is decent balance
between having something useful and still easy to read.
>
>>
>>>
>>>>
>>>>>
>>>>>>
>>>>>>> diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
>>>>>>> index 073fe7537f6c..4223e2fea441 100644
>>>>>>> --- a/scripts/selinux/mdp/mdp.c
>>>>>>> +++ b/scripts/selinux/mdp/mdp.c
>>>>>>> @@ -33,6 +33,7 @@
>>>>>>> #include <unistd.h>
>>>>>>> #include <string.h>
>>>>>>> #include <sys/socket.h>
>>>>>>> +#include <linux/kconfig.h>
>>>>>>>
>>>>>>> static void usage(char *name)
>>>>>>> {
>>>>>>> @@ -95,10 +96,31 @@ int main(int argc, char *argv[])
>>>>>>> }
>>>>>>> fprintf(fout, "\n");
>>>>>>>
>>>>>>> - /* NOW PRINT OUT MLS STUFF */
>>>>>>> + /* print out mls declarations and constraints */
>>>>>>> if (mls) {
>>>>>>> - printf("MLS not yet implemented\n");
>>>>>>> - exit(1);
>>>>>>> + fprintf(fout, "sensitivity s0;\n");
>>>>>>> + fprintf(fout, "sensitivity s1;\n");
>>>>>>> + fprintf(fout, "dominance { s0 s1 }\n");
>>>>>>> + fprintf(fout, "category c0;\n");
>>>>>>> + fprintf(fout, "category c1;\n");
>>>>>>> + fprintf(fout, "level s0:c0.c1;\n");
>>>>>>> + fprintf(fout, "level s1:c0.c1;\n");
>>>>>>> +#define SYSTEMLOW "s0"
>>>>>>> +#define SYSTEMHIGH "s1:c0.c1"
>>>>>>> + for (i = 0; secclass_map[i].name; i++) {
>>>>>>> + struct security_class_mapping *map =
>>>>>>> &secclass_map[i];
>>>>>>> +
>>>>>>> + fprintf(fout, "mlsconstrain %s {\n",
>>>>>>> map->name);
>>>>>>> + for (j = 0; map->perms[j]; j++)
>>>>>>> + fprintf(fout, "\t%s\n",
>>>>>>> map->perms[j]);
>>>>>>> + /*
>>>>>>> + * This requires all subjects and
>>>>>>> objects to be
>>>>>>> + * single-level (l2 eq h2), and that the
>>>>>>> subject
>>>>>>> + * level dominate the object level (h1 dom h2)
>>>>>>> + * in order to have any permissions to it.
>>>>>>> + */
>>>>>>> + fprintf(fout, "} (l2 eq h2 and h1 dom
>>>>>>> h2);\n\n");
>>>>>>> + }
>>>>>>> }
>>>>>>>
>>>>>>> /* types, roles, and allows */
>>>>>>> @@ -108,34 +130,87 @@ int main(int argc, char *argv[])
>>>>>>> for (i = 0; secclass_map[i].name; i++)
>>>>>>> fprintf(fout, "allow base_t base_t:%s *;\n",
>>>>>>> secclass_map[i].name);
>>>>>>> - fprintf(fout, "user user_u roles { base_r };\n");
>>>>>>> - fprintf(fout, "\n");
>>>>>>> + fprintf(fout, "user user_u roles { base_r }");
>>>>>>> + if (mls)
>>>>>>> + fprintf(fout, " level %s range %s - %s", SYSTEMHIGH,
>>>>>>> + SYSTEMLOW, SYSTEMHIGH);
>>>>>>> + fprintf(fout, ";\n");
>>>>>>> +
>>>>>>> +#define USERROLETYPE "user_u:base_r:base_t"
>>>>>>>
>>>>>>> /* default sids */
>>>>>>> for (i = 1; i < initial_sid_to_string_len; i++)
>>>>>>> - fprintf(fout, "sid %s user_u:base_r:base_t\n",
>>>>>>> initial_sid_to_string[i]);
>>>>>>> + fprintf(fout, "sid %s " USERROLETYPE "%s\n",
>>>>>>> + initial_sid_to_string[i], mls ? ":"
>>>>>>> SYSTEMHIGH : "");
>>>>>>> fprintf(fout, "\n");
>>>>>>>
>>>>>>> - fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr reiserfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "fs_use_task eventpollfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans hugetlbfs
>>>>>>> user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
>>>>>>> - fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
>>>>>>> -
>>>>>>> - fprintf(fout, "genfscon proc / user_u:base_r:base_t\n");
>>>>>>> +#define FS_USE(behavior, fstype) \
>>>>>>> + fprintf(fout, "fs_use_%s %s " USERROLETYPE "%s;\n", \
>>>>>>> + behavior, fstype, mls ? ":" SYSTEMLOW : "")
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inode labels can be fetched via getxattr.
>>>>>>> + */
>>>>>>> +#ifdef CONFIG_EXT2_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext2");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_EXT3_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext3");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_EXT4_FS_SECURITY
>>>>>>> + FS_USE("xattr", "ext4");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_JFS_SECURITY
>>>>>>> + FS_USE("xattr", "jfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_REISERFS_FS_SECURITY
>>>>>>> + FS_USE("xattr", "reiserfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_JFFS2_FS_SECURITY
>>>>>>> + FS_USE("xattr", "jffs2");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_XFS_FS
>>>>>>> + FS_USE("xattr", "xfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_GFS2_FS
>>>>>>> + FS_USE("xattr", "gfs2");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inodes are labeled from allocating task.
>>>>>>> + */
>>>>>>> + FS_USE("task", "pipefs");
>>>>>>> + FS_USE("task", "sockfs");
>>>>>>> +#ifdef CONFIG_POSIX_MQUEUE
>>>>>>> + FS_USE("task", "mqueue");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inode labels are computed from both
>>>>>>> + * the allocating task and the superblock label.
>>>>>>> + */
>>>>>>> +#ifdef CONFIG_UNIX98_PTYS
>>>>>>> + FS_USE("trans", "devpts");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_HUGETLBFS
>>>>>>> + FS_USE("trans", "hugetlbfs");
>>>>>>> +#endif
>>>>>>> +#ifdef CONFIG_TMPFS
>>>>>>> + FS_USE("trans", "tmpfs");
>>>>>>> +#endif
>>>>>>> +
>>>>>>> +
>>>>>>> +#define GENFSCON(fstype, prefix) \
>>>>>>> + fprintf(fout, "genfscon %s %s " USERROLETYPE "%s\n", \
>>>>>>> + fstype, prefix, mls ? ":" SYSTEMLOW : "")
>>>>>>> +
>>>>>>> + /*
>>>>>>> + * Filesystems whose inodes are labeled from path prefix match
>>>>>>> + * relative to the filesystem root. Depending on the
>>>>>>> filesystem,
>>>>>>> + * only a single label for all inodes may be supported.
>>>>>>> + */
>>>>>>> + GENFSCON("proc", "/");
>>>>>>> + GENFSCON("selinuxfs", "/");
>>>>>>>
>>>>>>> fclose(fout);
>>>>>>>
>>>>>>> @@ -144,8 +219,8 @@ int main(int argc, char *argv[])
>>>>>>> printf("Wrote policy, but cannot open %s for
>>>>>>> writing\n", ctxout);
>>>>>>> usage(argv[0]);
>>>>>>> }
>>>>>>> - fprintf(fout, "/ user_u:base_r:base_t\n");
>>>>>>> - fprintf(fout, "/.* user_u:base_r:base_t\n");
>>>>>>> + fprintf(fout, "/ " USERROLETYPE "%s\n", mls ? ":"
>>>>>>> SYSTEMLOW : "");
>>>>>>> + fprintf(fout, "/.* " USERROLETYPE "%s\n", mls ? ":"
>>>>>>> SYSTEMLOW : "");
>>>>>>> fclose(fout);
>>>>>>>
>>>>>>> return 0;
>>>>>>> --
>>>>>>> 2.20.1
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 17:24 ` Dominick Grift
@ 2019-02-15 19:11 ` Paul Moore
2019-02-15 19:21 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Paul Moore @ 2019-02-15 19:11 UTC (permalink / raw)
To: Dominick Grift; +Cc: Stephen Smalley, selinux
On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
> Dominick Grift <dac.override@gmail.com> writes:
> > Stephen Smalley <sds@tycho.nsa.gov> writes:
> >
> >> On 2/15/19 10:25 AM, Stephen Smalley wrote:
> >>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
> >>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
> >>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
> >>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
> >>>>>> <sds@tycho.nsa.gov> wrote:
> >>>>>>> Add basic MLS policy support to mdp. Declares
> >>>>>>> two sensitivities and two categories, defines
> >>>>>>> mls constraints for all permissions requiring
> >>>>>>> dominance (ala MCS), assigns the system-high
> >>>>>>> level to initial SID contexts and the default user
> >>>>>>> level, and assigns system-low level to filesystems.
> >>>>>>>
> >>>>>>> Also reworks the fs_use and genfscon rules to only
> >>>>>>> generate rules for filesystems that are configured
> >>>>>>> in the kernel. In some cases this depends on a specific
> >>>>>>> config option for security xattrs, in other cases security
> >>>>>>> xattrs are unconditionally supported by a given filesystem
> >>>>>>> if the filesystem is enabled, and in some cases the filesystem
> >>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
> >>>>>>> filesystems.
> >>>>>>>
> >>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
> >>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
> >>>>>>> We should probably expand it.
> >>>>>>>
> >>>>>>> Usage:
> >>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
> >>>>>>> checkpolicy -M -o policy policy.conf
> >>>>>>>
> >>>>>>> Then install the resulting policy and file_contexts as usual.
> >>>>>>>
> >>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> >>>>>>> ---
> >>>>>>> v3 fixes up the file contexts generation code to also use
> >>>>>>> SYSTEMLOW and
> >>>>>>> collapse down to a single fprintf call per line.
> >>>>>>> scripts/selinux/mdp/mdp.c | 131
> >>>>>>> ++++++++++++++++++++++++++++++--------
> >>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
> >>>>>>
> >>>>>> This is great Stephen, thanks for working on this - and rather quickly
> >>>>>> too! For those who don't follow the GitHub issues, I just opened an
> >>>>>> issue yesterday mentioning it would be nice to add MLS support to the
> >>>>>> mdp tool.
> >>>>>>
> >>>>>> Are you planning to keep playing with this? I'm asking not because I
> >>>>>> think it needs more work to be worthwhile, but rather I don't want to
> >>>>>> merge something that you want to continue working on. If you are
> >>>>>> happy with this latest patch I think it is okay to merge this into
> >>>>>> selinux/next, even at this late stage, simply because it is not part
> >>>>>> of a built kernel, but rather a developer's tool.
> >>>>>
> >>>>> No, I think I'm done for now unless you find a problem with
> >>>>> it. Absent some compelling use case for mdp it is hard to justify
> >>>>> spending any more time on it.
> >>>>
> >>>> Note however that the instructions in
> >>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
> >>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
> >>>> mdp or -M to checkpolicy, no one will use this support unless they
> >>>> do it all by hand.
> >>>
> >>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
> >>> Partly appears to be due to systemd having embedded security
> >>> contexts specific to Fedora/refpolicy into its own configurations
> >>> and partly due to MLS denials. I don't even know if it would work
> >>> before this change though...
> >>
> >> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
> >> permissive, before or after this change. I assume it has to do with
> >> leaking of contexts outside of the policy and/or missing config files
> >> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
> >> systemd_contexts and other userspace config files that don't exist in
> >> the mdp policy). More evidence of the irrelevance of mdp...
> >
> > Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
> > start without it, and these day's without dbus no system
>
> My dssp2-minimal [1] policy is my alternative to mdp.
>
> https://github.com/DefenSec/dssp2-minimal
>
> It is not quite as simple as mpd but it think it is decent balance
> between having something useful and still easy to read.
While dssp2-minimal is much smaller than reference policy, it's still
an order of magnitude larger than the mdp generated policy. I'm not
sure if this is something you care about, but if you wanted to work on
getting mdp to the point where it would allow a Fedora system (or any
modern SELinux based system for that matter) to boot, that could be
useful, even if I'm not convinced it needs to be a priority at the
moment.
Besides, haven't you always wanted to get a patch accepted into the
kernel Dominick? ;)
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 19:11 ` Paul Moore
@ 2019-02-15 19:21 ` Dominick Grift
2019-02-15 19:30 ` Stephen Smalley
0 siblings, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 19:21 UTC (permalink / raw)
To: Paul Moore; +Cc: Stephen Smalley, selinux
Paul Moore <paul@paul-moore.com> writes:
> On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
>> Dominick Grift <dac.override@gmail.com> writes:
>> > Stephen Smalley <sds@tycho.nsa.gov> writes:
>> >
>> >> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>> >>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>> >>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>> >>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>> >>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>> >>>>>> <sds@tycho.nsa.gov> wrote:
>> >>>>>>> Add basic MLS policy support to mdp. Declares
>> >>>>>>> two sensitivities and two categories, defines
>> >>>>>>> mls constraints for all permissions requiring
>> >>>>>>> dominance (ala MCS), assigns the system-high
>> >>>>>>> level to initial SID contexts and the default user
>> >>>>>>> level, and assigns system-low level to filesystems.
>> >>>>>>>
>> >>>>>>> Also reworks the fs_use and genfscon rules to only
>> >>>>>>> generate rules for filesystems that are configured
>> >>>>>>> in the kernel. In some cases this depends on a specific
>> >>>>>>> config option for security xattrs, in other cases security
>> >>>>>>> xattrs are unconditionally supported by a given filesystem
>> >>>>>>> if the filesystem is enabled, and in some cases the filesystem
>> >>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>> >>>>>>> filesystems.
>> >>>>>>>
>> >>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>> >>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>> >>>>>>> We should probably expand it.
>> >>>>>>>
>> >>>>>>> Usage:
>> >>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>> >>>>>>> checkpolicy -M -o policy policy.conf
>> >>>>>>>
>> >>>>>>> Then install the resulting policy and file_contexts as usual.
>> >>>>>>>
>> >>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> >>>>>>> ---
>> >>>>>>> v3 fixes up the file contexts generation code to also use
>> >>>>>>> SYSTEMLOW and
>> >>>>>>> collapse down to a single fprintf call per line.
>> >>>>>>> scripts/selinux/mdp/mdp.c | 131
>> >>>>>>> ++++++++++++++++++++++++++++++--------
>> >>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>> >>>>>>
>> >>>>>> This is great Stephen, thanks for working on this - and rather quickly
>> >>>>>> too! For those who don't follow the GitHub issues, I just opened an
>> >>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>> >>>>>> mdp tool.
>> >>>>>>
>> >>>>>> Are you planning to keep playing with this? I'm asking not because I
>> >>>>>> think it needs more work to be worthwhile, but rather I don't want to
>> >>>>>> merge something that you want to continue working on. If you are
>> >>>>>> happy with this latest patch I think it is okay to merge this into
>> >>>>>> selinux/next, even at this late stage, simply because it is not part
>> >>>>>> of a built kernel, but rather a developer's tool.
>> >>>>>
>> >>>>> No, I think I'm done for now unless you find a problem with
>> >>>>> it. Absent some compelling use case for mdp it is hard to justify
>> >>>>> spending any more time on it.
>> >>>>
>> >>>> Note however that the instructions in
>> >>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>> >>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>> >>>> mdp or -M to checkpolicy, no one will use this support unless they
>> >>>> do it all by hand.
>> >>>
>> >>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>> >>> Partly appears to be due to systemd having embedded security
>> >>> contexts specific to Fedora/refpolicy into its own configurations
>> >>> and partly due to MLS denials. I don't even know if it would work
>> >>> before this change though...
>> >>
>> >> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>> >> permissive, before or after this change. I assume it has to do with
>> >> leaking of contexts outside of the policy and/or missing config files
>> >> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>> >> systemd_contexts and other userspace config files that don't exist in
>> >> the mdp policy). More evidence of the irrelevance of mdp...
>> >
>> > Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>> > start without it, and these day's without dbus no system
>>
>> My dssp2-minimal [1] policy is my alternative to mdp.
>>
>> https://github.com/DefenSec/dssp2-minimal
>>
>> It is not quite as simple as mpd but it think it is decent balance
>> between having something useful and still easy to read.
>
> While dssp2-minimal is much smaller than reference policy, it's still
> an order of magnitude larger than the mdp generated policy. I'm not
> sure if this is something you care about, but if you wanted to work on
> getting mdp to the point where it would allow a Fedora system (or any
> modern SELinux based system for that matter) to boot, that could be
> useful, even if I'm not convinced it needs to be a priority at the
> moment.
It is also an order of magnitude more useful than mdp.
I suppose I could look at what it would take to get it to boot on some
rainy afternoon. Should not be hard, but i hesitate to polute mdp with
user space access vectors. It feels like setting a precendent somehow.
>
> Besides, haven't you always wanted to get a patch accepted into the
> kernel Dominick? ;)
Not particularly, no.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 19:21 ` Dominick Grift
@ 2019-02-15 19:30 ` Stephen Smalley
2019-02-15 19:36 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 19:30 UTC (permalink / raw)
To: Dominick Grift, Paul Moore; +Cc: selinux
On 2/15/19 2:21 PM, Dominick Grift wrote:
> Paul Moore <paul@paul-moore.com> writes:
>
>> On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
>>> Dominick Grift <dac.override@gmail.com> writes:
>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>
>>>>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>>>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>>>>> two sensitivities and two categories, defines
>>>>>>>>>> mls constraints for all permissions requiring
>>>>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>>>>> level to initial SID contexts and the default user
>>>>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>>>>
>>>>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>>>>> generate rules for filesystems that are configured
>>>>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>>>>> config option for security xattrs, in other cases security
>>>>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>>>>> filesystems.
>>>>>>>>>>
>>>>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>>>>> We should probably expand it.
>>>>>>>>>>
>>>>>>>>>> Usage:
>>>>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>>>>
>>>>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>>>>
>>>>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>>>>> ---
>>>>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>>>>> SYSTEMLOW and
>>>>>>>>>> collapse down to a single fprintf call per line.
>>>>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>>>>
>>>>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>>>>> mdp tool.
>>>>>>>>>
>>>>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>>>>> merge something that you want to continue working on. If you are
>>>>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>>>>> of a built kernel, but rather a developer's tool.
>>>>>>>>
>>>>>>>> No, I think I'm done for now unless you find a problem with
>>>>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>>>>> spending any more time on it.
>>>>>>>
>>>>>>> Note however that the instructions in
>>>>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>>>>> do it all by hand.
>>>>>>
>>>>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>>>>> Partly appears to be due to systemd having embedded security
>>>>>> contexts specific to Fedora/refpolicy into its own configurations
>>>>>> and partly due to MLS denials. I don't even know if it would work
>>>>>> before this change though...
>>>>>
>>>>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>>>>> permissive, before or after this change. I assume it has to do with
>>>>> leaking of contexts outside of the policy and/or missing config files
>>>>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>>>>> systemd_contexts and other userspace config files that don't exist in
>>>>> the mdp policy). More evidence of the irrelevance of mdp...
>>>>
>>>> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>>>> start without it, and these day's without dbus no system
>>>
>>> My dssp2-minimal [1] policy is my alternative to mdp.
>>>
>>> https://github.com/DefenSec/dssp2-minimal
>>>
>>> It is not quite as simple as mpd but it think it is decent balance
>>> between having something useful and still easy to read.
>>
>> While dssp2-minimal is much smaller than reference policy, it's still
>> an order of magnitude larger than the mdp generated policy. I'm not
>> sure if this is something you care about, but if you wanted to work on
>> getting mdp to the point where it would allow a Fedora system (or any
>> modern SELinux based system for that matter) to boot, that could be
>> useful, even if I'm not convinced it needs to be a priority at the
>> moment.
>
> It is also an order of magnitude more useful than mdp.
>
> I suppose I could look at what it would take to get it to boot on some
> rainy afternoon. Should not be hard, but i hesitate to polute mdp with
> user space access vectors. It feels like setting a precendent somehow.
In theory, if using selinux_check_access() to check permissions and if
the policy sets allow_unknown=true, then the absence of the userspace
classes and access vectors should just cause all userspace permission
checks to pass.
Of course, not all userspace object managers use selinux_check_access(),
and may not check security_deny_unknown() directly.
>
>>
>> Besides, haven't you always wanted to get a patch accepted into the
>> kernel Dominick? ;)
>
> Not particularly, no.
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 19:30 ` Stephen Smalley
@ 2019-02-15 19:36 ` Dominick Grift
2019-02-15 19:48 ` Stephen Smalley
0 siblings, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-15 19:36 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 2/15/19 2:21 PM, Dominick Grift wrote:
>> Paul Moore <paul@paul-moore.com> writes:
>>
>>> On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
>>>> Dominick Grift <dac.override@gmail.com> writes:
>>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>>
>>>>>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>>>>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>>>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>>>>>> two sensitivities and two categories, defines
>>>>>>>>>>> mls constraints for all permissions requiring
>>>>>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>>>>>> level to initial SID contexts and the default user
>>>>>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>>>>>
>>>>>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>>>>>> generate rules for filesystems that are configured
>>>>>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>>>>>> config option for security xattrs, in other cases security
>>>>>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>>>>>> filesystems.
>>>>>>>>>>>
>>>>>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>>>>>> We should probably expand it.
>>>>>>>>>>>
>>>>>>>>>>> Usage:
>>>>>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>>>>>
>>>>>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>>>>>
>>>>>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>>>>>> ---
>>>>>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>>>>>> SYSTEMLOW and
>>>>>>>>>>> collapse down to a single fprintf call per line.
>>>>>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>>>>>
>>>>>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>>>>>> mdp tool.
>>>>>>>>>>
>>>>>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>>>>>> merge something that you want to continue working on. If you are
>>>>>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>>>>>> of a built kernel, but rather a developer's tool.
>>>>>>>>>
>>>>>>>>> No, I think I'm done for now unless you find a problem with
>>>>>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>>>>>> spending any more time on it.
>>>>>>>>
>>>>>>>> Note however that the instructions in
>>>>>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>>>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>>>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>>>>>> do it all by hand.
>>>>>>>
>>>>>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>>>>>> Partly appears to be due to systemd having embedded security
>>>>>>> contexts specific to Fedora/refpolicy into its own configurations
>>>>>>> and partly due to MLS denials. I don't even know if it would work
>>>>>>> before this change though...
>>>>>>
>>>>>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>>>>>> permissive, before or after this change. I assume it has to do with
>>>>>> leaking of contexts outside of the policy and/or missing config files
>>>>>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>>>>>> systemd_contexts and other userspace config files that don't exist in
>>>>>> the mdp policy). More evidence of the irrelevance of mdp...
>>>>>
>>>>> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>>>>> start without it, and these day's without dbus no system
>>>>
>>>> My dssp2-minimal [1] policy is my alternative to mdp.
>>>>
>>>> https://github.com/DefenSec/dssp2-minimal
>>>>
>>>> It is not quite as simple as mpd but it think it is decent balance
>>>> between having something useful and still easy to read.
>>>
>>> While dssp2-minimal is much smaller than reference policy, it's still
>>> an order of magnitude larger than the mdp generated policy. I'm not
>>> sure if this is something you care about, but if you wanted to work on
>>> getting mdp to the point where it would allow a Fedora system (or any
>>> modern SELinux based system for that matter) to boot, that could be
>>> useful, even if I'm not convinced it needs to be a priority at the
>>> moment.
>>
>> It is also an order of magnitude more useful than mdp.
>>
>> I suppose I could look at what it would take to get it to boot on some
>> rainy afternoon. Should not be hard, but i hesitate to polute mdp with
>> user space access vectors. It feels like setting a precendent somehow.
>
> In theory, if using selinux_check_access() to check permissions and if
> the policy sets allow_unknown=true, then the absence of the userspace
> classes and access vectors should just cause all userspace permission
> checks to pass.
>
> Of course, not all userspace object managers use
> selinux_check_access(), and may not check security_deny_unknown()
> directly.
The two object managers that matter do use selinux_access_check()
I admit that I got a little curious to find out what the issue is.
>
>>
>>>
>>> Besides, haven't you always wanted to get a patch accepted into the
>>> kernel Dominick? ;)
>>
>> Not particularly, no.
>>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 19:36 ` Dominick Grift
@ 2019-02-15 19:48 ` Stephen Smalley
2019-02-16 12:04 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Stephen Smalley @ 2019-02-15 19:48 UTC (permalink / raw)
To: Dominick Grift; +Cc: Paul Moore, selinux
On 2/15/19 2:36 PM, Dominick Grift wrote:
> Stephen Smalley <sds@tycho.nsa.gov> writes:
>
>> On 2/15/19 2:21 PM, Dominick Grift wrote:
>>> Paul Moore <paul@paul-moore.com> writes:
>>>
>>>> On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@gmail.com> wrote:
>>>>> Dominick Grift <dac.override@gmail.com> writes:
>>>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>>>
>>>>>>> On 2/15/19 10:25 AM, Stephen Smalley wrote:
>>>>>>>> On 2/15/19 10:05 AM, Stephen Smalley wrote:
>>>>>>>>> On 2/15/19 10:03 AM, Stephen Smalley wrote:
>>>>>>>>>> On 2/15/19 10:00 AM, Paul Moore wrote:
>>>>>>>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley
>>>>>>>>>>> <sds@tycho.nsa.gov> wrote:
>>>>>>>>>>>> Add basic MLS policy support to mdp. Declares
>>>>>>>>>>>> two sensitivities and two categories, defines
>>>>>>>>>>>> mls constraints for all permissions requiring
>>>>>>>>>>>> dominance (ala MCS), assigns the system-high
>>>>>>>>>>>> level to initial SID contexts and the default user
>>>>>>>>>>>> level, and assigns system-low level to filesystems.
>>>>>>>>>>>>
>>>>>>>>>>>> Also reworks the fs_use and genfscon rules to only
>>>>>>>>>>>> generate rules for filesystems that are configured
>>>>>>>>>>>> in the kernel. In some cases this depends on a specific
>>>>>>>>>>>> config option for security xattrs, in other cases security
>>>>>>>>>>>> xattrs are unconditionally supported by a given filesystem
>>>>>>>>>>>> if the filesystem is enabled, and in some cases the filesystem
>>>>>>>>>>>> is always enabled in the kernel. Dropped obsolete pseudo
>>>>>>>>>>>> filesystems.
>>>>>>>>>>>>
>>>>>>>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp
>>>>>>>>>>>> is very incomplete compared to refpolicy or Android sepolicy.
>>>>>>>>>>>> We should probably expand it.
>>>>>>>>>>>>
>>>>>>>>>>>> Usage:
>>>>>>>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts
>>>>>>>>>>>> checkpolicy -M -o policy policy.conf
>>>>>>>>>>>>
>>>>>>>>>>>> Then install the resulting policy and file_contexts as usual.
>>>>>>>>>>>>
>>>>>>>>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>>>>>>>>> ---
>>>>>>>>>>>> v3 fixes up the file contexts generation code to also use
>>>>>>>>>>>> SYSTEMLOW and
>>>>>>>>>>>> collapse down to a single fprintf call per line.
>>>>>>>>>>>> scripts/selinux/mdp/mdp.c | 131
>>>>>>>>>>>> ++++++++++++++++++++++++++++++--------
>>>>>>>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-)
>>>>>>>>>>>
>>>>>>>>>>> This is great Stephen, thanks for working on this - and rather quickly
>>>>>>>>>>> too! For those who don't follow the GitHub issues, I just opened an
>>>>>>>>>>> issue yesterday mentioning it would be nice to add MLS support to the
>>>>>>>>>>> mdp tool.
>>>>>>>>>>>
>>>>>>>>>>> Are you planning to keep playing with this? I'm asking not because I
>>>>>>>>>>> think it needs more work to be worthwhile, but rather I don't want to
>>>>>>>>>>> merge something that you want to continue working on. If you are
>>>>>>>>>>> happy with this latest patch I think it is okay to merge this into
>>>>>>>>>>> selinux/next, even at this late stage, simply because it is not part
>>>>>>>>>>> of a built kernel, but rather a developer's tool.
>>>>>>>>>>
>>>>>>>>>> No, I think I'm done for now unless you find a problem with
>>>>>>>>>> it. Absent some compelling use case for mdp it is hard to justify
>>>>>>>>>> spending any more time on it.
>>>>>>>>>
>>>>>>>>> Note however that the instructions in
>>>>>>>>> Documentation/admin-guide/LSM/SELinux.rst just say to run
>>>>>>>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to
>>>>>>>>> mdp or -M to checkpolicy, no one will use this support unless they
>>>>>>>>> do it all by hand.
>>>>>>>>
>>>>>>>> FWIW, a Fedora system wouldn't come up cleanly with this policy.
>>>>>>>> Partly appears to be due to systemd having embedded security
>>>>>>>> contexts specific to Fedora/refpolicy into its own configurations
>>>>>>>> and partly due to MLS denials. I don't even know if it would work
>>>>>>>> before this change though...
>>>>>>>
>>>>>>> Couldn't seem to get a mdp-generated policy to boot on Fedora even in
>>>>>>> permissive, before or after this change. I assume it has to do with
>>>>>>> leaking of contexts outside of the policy and/or missing config files
>>>>>>> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has
>>>>>>> systemd_contexts and other userspace config files that don't exist in
>>>>>>> the mdp policy). More evidence of the irrelevance of mdp...
>>>>>>
>>>>>> Oh, right you need a "dbus_contexts" file probably. DBUS refuses to
>>>>>> start without it, and these day's without dbus no system
>>>>>
>>>>> My dssp2-minimal [1] policy is my alternative to mdp.
>>>>>
>>>>> https://github.com/DefenSec/dssp2-minimal
>>>>>
>>>>> It is not quite as simple as mpd but it think it is decent balance
>>>>> between having something useful and still easy to read.
>>>>
>>>> While dssp2-minimal is much smaller than reference policy, it's still
>>>> an order of magnitude larger than the mdp generated policy. I'm not
>>>> sure if this is something you care about, but if you wanted to work on
>>>> getting mdp to the point where it would allow a Fedora system (or any
>>>> modern SELinux based system for that matter) to boot, that could be
>>>> useful, even if I'm not convinced it needs to be a priority at the
>>>> moment.
>>>
>>> It is also an order of magnitude more useful than mdp.
>>>
>>> I suppose I could look at what it would take to get it to boot on some
>>> rainy afternoon. Should not be hard, but i hesitate to polute mdp with
>>> user space access vectors. It feels like setting a precendent somehow.
>>
>> In theory, if using selinux_check_access() to check permissions and if
>> the policy sets allow_unknown=true, then the absence of the userspace
>> classes and access vectors should just cause all userspace permission
>> checks to pass.
>>
>> Of course, not all userspace object managers use
>> selinux_check_access(), and may not check security_deny_unknown()
>> directly.
>
> The two object managers that matter do use selinux_access_check()
>
> I admit that I got a little curious to find out what the issue is.
Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
without specifying -U / --handle-unknown, so the policy defaults to
deny, and that would indeed render dbus-daemon and systemd broken with
that policy. Might be as simple to fix as passing -U allow.
>
>>
>>>
>>>>
>>>> Besides, haven't you always wanted to get a patch accepted into the
>>>> kernel Dominick? ;)
>>>
>>> Not particularly, no.
>>>
>>
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-15 19:48 ` Stephen Smalley
@ 2019-02-16 12:04 ` Dominick Grift
2019-02-16 12:12 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-16 12:04 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, selinux
[-- Attachment #1: Type: text/plain, Size: 1869 bytes --]
On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
<snip>
>
> Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
> without specifying -U / --handle-unknown, so the policy defaults to deny,
> and that would indeed render dbus-daemon and systemd broken with that
> policy. Might be as simple to fix as passing -U allow.
I have looked a litte into this and here are some observations:
1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
2. You need *at least* an `/etc/selinux/dummy/seusers` with `__default__:user_u` and an accompanying `/etc/selinux/dummy/contexts/failsafe_context` with `base_r:base_t` to boot mdp in enforcing
3. There is an issue with checkpolicy and object_r:
PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
if you try to append: `role object_r; role object_r types base_t;` to policy.conf and compile that with `checkpolicy` then the `roletype-rule` does *not* end up in the compiled policy for some reason.
thus, you cannot log in because object_r:base_t is not valid.
To hack around this add `default_role * source` rules to policy.conf and recompile.
This will allow you to log into the system locally in enforcing mode.
4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t` for its "privsep" functionality so, while untested, you probably need an `openssh_contexts` with `privsep_preauth=base_t`
>
> >
> > >
> > > >
> > > > >
> > > > > Besides, haven't you always wanted to get a patch accepted into the
> > > > > kernel Dominick? ;)
> > > >
> > > > Not particularly, no.
> > > >
> > >
> >
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-16 12:04 ` Dominick Grift
@ 2019-02-16 12:12 ` Dominick Grift
2019-02-18 3:12 ` Paul Moore
0 siblings, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-16 12:12 UTC (permalink / raw)
To: Stephen Smalley, Paul Moore, selinux
[-- Attachment #1: Type: text/plain, Size: 1903 bytes --]
On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
> <snip>
>
> >
> > Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
> > without specifying -U / --handle-unknown, so the policy defaults to deny,
> > and that would indeed render dbus-daemon and systemd broken with that
> > policy. Might be as simple to fix as passing -U allow.
>
> I have looked a litte into this and here are some observations:
>
> 1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
>
> 2. You need *at least* an `/etc/selinux/dummy/seusers` with `__default__:user_u` and an accompanying `/etc/selinux/dummy/contexts/failsafe_context` with `base_r:base_t` to boot mdp in enforcing
>
> 3. There is an issue with checkpolicy and object_r:
>
> PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
>
> if you try to append: `role object_r; role object_r types base_t;` to policy.conf and compile that with `checkpolicy` then the `roletype-rule` does *not* end up in the compiled policy for some reason.
>
> thus, you cannot log in because object_r:base_t is not valid.
>
> To hack around this add `default_role * source` rules to policy.conf and recompile.
>
> This will allow you to log into the system locally in enforcing mode.
>
> 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t` for its "privsep" functionality so, while untested, you probably need an `openssh_contexts` with `privsep_preauth=base_t`
>
The `install_policy.sh` script should probably also do a bash file test for `checkpolicy` and fail gracefully if its not found
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-16 12:12 ` Dominick Grift
@ 2019-02-18 3:12 ` Paul Moore
2019-02-18 7:08 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Paul Moore @ 2019-02-18 3:12 UTC (permalink / raw)
To: Stephen Smalley, selinux, Petr Lautrbach; +Cc: Paul Moore
On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift <dac.override@gmail.com> wrote:
>
> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
> > <snip>
> >
> > >
> > > Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
> > > without specifying -U / --handle-unknown, so the policy defaults to deny,
> > > and that would indeed render dbus-daemon and systemd broken with that
> > > policy. Might be as simple to fix as passing -U allow.
> >
> > I have looked a litte into this and here are some observations:
> >
> > 1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
> >
> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with `__default__:user_u` and an accompanying `/etc/selinux/dummy/contexts/failsafe_context` with `base_r:base_t` to boot mdp in enforcing
Wow. I didn't expect we would get to this point so quickly.
Originally my plan had been to just merge the mdp changes that Stephen
submitted, and leave the rest for some other time. Although based on
everything in this thread, it looks like we are really close to having
something that you can build and boot without too many hacks.
> > 3. There is an issue with checkpolicy and object_r:
> >
> > PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
> >
> > if you try to append: `role object_r; role object_r types base_t;` to policy.conf and compile that with `checkpolicy` then the `roletype-rule` does *not* end up in the compiled policy for some reason.
This sounds like a bug in checkpolicy ... ?
> > thus, you cannot log in because object_r:base_t is not valid.
> >
> > To hack around this add `default_role * source` rules to policy.conf and recompile.
> >
> > This will allow you to log into the system locally in enforcing mode.
> >
> > 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t` for its "privsep" functionality so, while untested, you probably need an `openssh_contexts` with `privsep_preauth=base_t`
Petr, what's the deal with ssh on Fedora?
> The `install_policy.sh` script should probably also do a bash file test for `checkpolicy` and fail gracefully if its not found
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-18 3:12 ` Paul Moore
@ 2019-02-18 7:08 ` Dominick Grift
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
2019-02-19 12:11 ` Petr Lautrbach
0 siblings, 2 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-18 7:08 UTC (permalink / raw)
To: Paul Moore; +Cc: Stephen Smalley, selinux, Petr Lautrbach
Paul Moore <paul@paul-moore.com> writes:
> On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift <dac.override@gmail.com> wrote:
>>
>> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
>> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
>> > <snip>
>> >
>> > >
>> > > Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
>> > > without specifying -U / --handle-unknown, so the policy defaults to deny,
>> > > and that would indeed render dbus-daemon and systemd broken with that
>> > > policy. Might be as simple to fix as passing -U allow.
>> >
>> > I have looked a litte into this and here are some observations:
>> >
>> > 1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
>> >
>> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
>> > `__default__:user_u` and an accompanying
>> > `/etc/selinux/dummy/contexts/failsafe_context` with
>> > `base_r:base_t` to boot mdp in enforcing
>
> Wow. I didn't expect we would get to this point so quickly.
>
> Originally my plan had been to just merge the mdp changes that Stephen
> submitted, and leave the rest for some other time. Although based on
> everything in this thread, it looks like we are really close to having
> something that you can build and boot without too many hacks.
>
>> > 3. There is an issue with checkpolicy and object_r:
>> >
>> > PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
>> >
>> > if you try to append: `role object_r; role object_r types base_t;`
>> > to policy.conf and compile that with `checkpolicy` then the
>> > `roletype-rule` does *not* end up in the compiled policy for some
>> > reason.
>
> This sounds like a bug in checkpolicy ... ?
Yes, looks like it
>
>> > thus, you cannot log in because object_r:base_t is not valid.
>> >
>> > To hack around this add `default_role * source` rules to policy.conf and recompile.
>> >
>> > This will allow you to log into the system locally in enforcing mode.
>> >
>> > 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t`
>> > for its "privsep" functionality so, while untested, you probably
>> > need an `openssh_contexts` with `privsep_preauth=base_t`
>
> Petr, what's the deal with ssh on Fedora?
I wonder whether it would be possible (and feasible) to not transition on
privsep_preauth at all *unless* a privsep preauth type is specified in
openssh_context.
Currently it falls back to a hardcoded type to transition to if
openssh_contexts does not exist.
Then again, i would not want to risk breaking or regressing some of the nice
functionality openssh in fedora has for selinux. It's state is currently
very good even compared to RHEL.
>
>> The `install_policy.sh` script should probably also do a bash file test for `checkpolicy` and fail gracefully if its not found
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
@ 2019-02-19 8:15 ` Dominick Grift
2019-02-19 11:08 ` Dominick Grift
1 sibling, 0 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-19 8:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, Stephen D. Smalley, selinux, Petr Lautrbach
Stephen Smalley <stephen.smalley@gmail.com> writes:
> On Mon, Feb 18, 2019, 2:09 AM Dominick Grift <dac.override@gmail.com wrote:
>
> Paul Moore <paul@paul-moore.com> writes:
>
> > On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift <dac.override@gmail.com> wrote:
> >>
> >> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> >> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
> >> > <snip>
> >> >
> >> > >
> >> > > Oh, I see: scripts/selinux/install_policy.sh just invokes checkpolicy
> >> > > without specifying -U / --handle-unknown, so the policy defaults to deny,
> >> > > and that would indeed render dbus-daemon and systemd broken with that
> >> > > policy. Might be as simple to fix as passing -U allow.
> >> >
> >> > I have looked a litte into this and here are some observations:
> >> >
> >> > 1. You can boot mdp as-is in permissive mode if you use `checkpolicy` with `-U allow`
> >> >
> >> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
> >> > `__default__:user_u` and an accompanying
> >> > `/etc/selinux/dummy/contexts/failsafe_context` with
> >> > `base_r:base_t` to boot mdp in enforcing
> >
> > Wow. I didn't expect we would get to this point so quickly.
> >
> > Originally my plan had been to just merge the mdp changes that Stephen
> > submitted, and leave the rest for some other time. Although based on
> > everything in this thread, it looks like we are really close to having
> > something that you can build and boot without too many hacks.
> >
> >> > 3. There is an issue with checkpolicy and object_r:
> >> >
> >> > PAM libselinux clients such as `login` try to associate `object_r` with the tty and fail.
> >> >
> >> > if you try to append: `role object_r; role object_r types base_t;`
> >> > to policy.conf and compile that with `checkpolicy` then the
> >> > `roletype-rule` does *not* end up in the compiled policy for some
> >> > reason.
> >
> > This sounds like a bug in checkpolicy ... ?
>
> Yes, looks like it
>
> I don't think so. object_r has always been handled specially. The kernel ignores the role-type definition for it and always exempts contexts
> that contain it from user-role, role-type, and user-range restrictions. We didn't use to include it in the policy at all; I think CIL does but
> we only generate a stub in the kernel policy with the role name and value but no types and the kernel ignores it. What exactly breaks with
> pam_selinux?
The login program (pam_selinux) is not able to relabel the login user tty
(/dev/ttys0: user_u:base_r:base_t -> user_u:object_r:base_t) and so the user cannot log into the system in enforcing mode.
Maybe a missing contexts config file? I suppose I should look at it
again since you sound confident that this is not a bug. I also suppose
Android uses checkpolicy so they would have noticed?
>
> >
> >> > thus, you cannot log in because object_r:base_t is not valid.
> >> >
> >> > To hack around this add `default_role * source` rules to policy.conf and recompile.
> >> >
> >> > This will allow you to log into the system locally in enforcing mode.
> >> >
> >> > 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t`
> >> > for its "privsep" functionality so, while untested, you probably
> >> > need an `openssh_contexts` with `privsep_preauth=base_t`
> >
> > Petr, what's the deal with ssh on Fedora?
>
> I wonder whether it would be possible (and feasible) to not transition on
> privsep_preauth at all *unless* a privsep preauth type is specified in
> openssh_context.
>
> Currently it falls back to a hardcoded type to transition to if
> openssh_contexts does not exist.
>
> Then again, i would not want to risk breaking or regressing some of the nice
> functionality openssh in fedora has for selinux. It's state is currently
> very good even compared to RHEL.
>
> >
> >> The `install_policy.sh` script should probably also do a bash file test for `checkpolicy` and fail gracefully if its not found
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
2019-02-19 8:15 ` Dominick Grift
@ 2019-02-19 11:08 ` Dominick Grift
[not found] ` <CAB9W1A2s+PcrC=fPXA9AYRm1oVYArsRCGKihM5mjUqnQtuLe3w@mail.gmail.com>
1 sibling, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-19 11:08 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Paul Moore, Stephen D. Smalley, selinux, Petr Lautrbach
[-- Attachment #1: Type: text/plain, Size: 5551 bytes --]
On Mon, Feb 18, 2019 at 07:07:33PM -0500, Stephen Smalley wrote:
> On Mon, Feb 18, 2019, 2:09 AM Dominick Grift <dac.override@gmail.com wrote:
>
> > Paul Moore <paul@paul-moore.com> writes:
> >
> > > On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift <dac.override@gmail.com>
> > wrote:
> > >>
> > >> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> > >> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley wrote:
> > >> > <snip>
> > >> >
> > >> > >
> > >> > > Oh, I see: scripts/selinux/install_policy.sh just invokes
> > checkpolicy
> > >> > > without specifying -U / --handle-unknown, so the policy defaults to
> > deny,
> > >> > > and that would indeed render dbus-daemon and systemd broken with
> > that
> > >> > > policy. Might be as simple to fix as passing -U allow.
> > >> >
> > >> > I have looked a litte into this and here are some observations:
> > >> >
> > >> > 1. You can boot mdp as-is in permissive mode if you use `checkpolicy`
> > with `-U allow`
> > >> >
> > >> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
> > >> > `__default__:user_u` and an accompanying
> > >> > `/etc/selinux/dummy/contexts/failsafe_context` with
> > >> > `base_r:base_t` to boot mdp in enforcing
> > >
> > > Wow. I didn't expect we would get to this point so quickly.
> > >
> > > Originally my plan had been to just merge the mdp changes that Stephen
> > > submitted, and leave the rest for some other time. Although based on
> > > everything in this thread, it looks like we are really close to having
> > > something that you can build and boot without too many hacks.
> > >
> > >> > 3. There is an issue with checkpolicy and object_r:
> > >> >
> > >> > PAM libselinux clients such as `login` try to associate `object_r`
> > with the tty and fail.
> > >> >
> > >> > if you try to append: `role object_r; role object_r types base_t;`
> > >> > to policy.conf and compile that with `checkpolicy` then the
> > >> > `roletype-rule` does *not* end up in the compiled policy for some
> > >> > reason.
> > >
> > > This sounds like a bug in checkpolicy ... ?
> >
> > Yes, looks like it
> >
>
> I don't think so. object_r has always been handled specially. The kernel
> ignores the role-type definition for it and always exempts contexts that
> contain it from user-role, role-type, and user-range restrictions. We
> didn't use to include it in the policy at all; I think CIL does but we only
> generate a stub in the kernel policy with the role name and value but no
> types and the kernel ignores it. What exactly breaks with pam_selinux?
>
Tried it again and this time I tried to run install_selinux.sh with selinux disabled (previously i did not bother to boot with selinux disabled)
Now I think I see what you were seeing:
1. setfiles is called in install_selinux.sh but it does not relabel when selinux is disabled
2. the system is misabeled and when you boot, that prompts an autorelabel (don't what does that but maybe systemd) which ,for some reason, does not work either even though it looks like its doing something
3. system does not start properly (even in permissive mode) because it looks like systemd can't compute a valid context using the mislabeled /sbin/init
This, i think, would address that:
1. dont try to run setfiles in install_selinux.sh because it does not work in the scenario where you run install_selinux.sh when selinux is disabled (audit actually prints an FS_RELABEL event but nothing is relabeled)
2. in /etc/selinux/config use SELINUX=permissive instead of SELINUX=enforcing (it needs to relabel in permissive mode in the next step)
3. echo '-F' > /.autorelabel
When all is said and done I still hit the issue where I am not able to log into the system in enforcing mode:
Feb 19 12:05:04 myguest login[1175]: pam_selinux(login:session): Setting file context "user_u:object_r:base_t" failed for /dev/ttyS0: Operation not supported
>
> > >
> > >> > thus, you cannot log in because object_r:base_t is not valid.
> > >> >
> > >> > To hack around this add `default_role * source` rules to policy.conf
> > and recompile.
> > >> >
> > >> > This will allow you to log into the system locally in enforcing mode.
> > >> >
> > >> > 4. I also noticed that fedoras' ssh seems to hardcode `sshd_net_t`
> > >> > for its "privsep" functionality so, while untested, you probably
> > >> > need an `openssh_contexts` with `privsep_preauth=base_t`
> > >
> > > Petr, what's the deal with ssh on Fedora?
> >
> > I wonder whether it would be possible (and feasible) to not transition on
> > privsep_preauth at all *unless* a privsep preauth type is specified in
> > openssh_context.
> >
> > Currently it falls back to a hardcoded type to transition to if
> > openssh_contexts does not exist.
> >
> > Then again, i would not want to risk breaking or regressing some of the
> > nice
> > functionality openssh in fedora has for selinux. It's state is currently
> > very good even compared to RHEL.
> >
> > >
> > >> The `install_policy.sh` script should probably also do a bash file test
> > for `checkpolicy` and fail gracefully if its not found
> >
> > --
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-18 7:08 ` Dominick Grift
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
@ 2019-02-19 12:11 ` Petr Lautrbach
2019-02-19 12:37 ` Dominick Grift
1 sibling, 1 reply; 29+ messages in thread
From: Petr Lautrbach @ 2019-02-19 12:11 UTC (permalink / raw)
To: Dominick Grift; +Cc: Paul Moore, Stephen Smalley, selinux, Petr Lautrbach
Dominick Grift <dac.override@gmail.com> writes:
> Paul Moore <paul@paul-moore.com> writes:
>
>> On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift
>> <dac.override@gmail.com> wrote:
>>>
>>> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift
>>> wrote:
>>> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley
>>> > wrote:
>>> > <snip>
>>> >
>>> > >
>>> > > Oh, I see: scripts/selinux/install_policy.sh just invokes
>>> > > checkpolicy
>>> > > without specifying -U / --handle-unknown, so the policy
>>> > > defaults to deny,
>>> > > and that would indeed render dbus-daemon and systemd
>>> > > broken with that
>>> > > policy. Might be as simple to fix as passing -U allow.
>>> >
>>> > I have looked a litte into this and here are some
>>> > observations:
>>> >
>>> > 1. You can boot mdp as-is in permissive mode if you use
>>> > `checkpolicy` with `-U allow`
>>> >
>>> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
>>> > `__default__:user_u` and an accompanying
>>> > `/etc/selinux/dummy/contexts/failsafe_context` with
>>> > `base_r:base_t` to boot mdp in enforcing
>>
>> Wow. I didn't expect we would get to this point so quickly.
>>
>> Originally my plan had been to just merge the mdp changes that
>> Stephen
>> submitted, and leave the rest for some other time. Although
>> based on
>> everything in this thread, it looks like we are really close to
>> having
>> something that you can build and boot without too many hacks.
>>
>>> > 3. There is an issue with checkpolicy and object_r:
>>> >
>>> > PAM libselinux clients such as `login` try to associate
>>> > `object_r` with the tty and fail.
>>> >
>>> > if you try to append: `role object_r; role object_r types
>>> > base_t;`
>>> > to policy.conf and compile that with `checkpolicy` then the
>>> > `roletype-rule` does *not* end up in the compiled policy for
>>> > some
>>> > reason.
>>
>> This sounds like a bug in checkpolicy ... ?
>
> Yes, looks like it
>
>>
>>> > thus, you cannot log in because object_r:base_t is not
>>> > valid.
>>> >
>>> > To hack around this add `default_role * source` rules to
>>> > policy.conf and recompile.
>>> >
>>> > This will allow you to log into the system locally in
>>> > enforcing mode.
>>> >
>>> > 4. I also noticed that fedoras' ssh seems to hardcode
>>> > `sshd_net_t`
>>> > for its "privsep" functionality so, while untested, you
>>> > probably
>>> > need an `openssh_contexts` with `privsep_preauth=base_t`
"sshd_net_t" is really hardcoded as a fallback but
ssh_selinux_change_context("sshd_net_t"); is not a fatal
operation.
If it fails it just logs a debug message and the type of the
process
stays unaffected - by default it's sshd_t
I believe that openssh_context is not necessary if you don't mind
or
want to use different type for privsep preauth sshd processes.
>> Petr, what's the deal with ssh on Fedora?
>
> I wonder whether it would be possible (and feasible) to not
> transition on
> privsep_preauth at all *unless* a privsep preauth type is
> specified in
> openssh_context.
>
> Currently it falls back to a hardcoded type to transition to if
> openssh_contexts does not exist.
>
> Then again, i would not want to risk breaking or regressing some
> of the nice
> functionality openssh in fedora has for selinux. It's state is
> currently
> very good even compared to RHEL.
I think it's feasible without a big risk.
https://bugzilla.redhat.com/show_bug.cgi?id=1678695
>>
>>> The `install_policy.sh` script should probably also do a bash
>>> file test for `checkpolicy` and fail gracefully if its not
>>> found
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-19 12:11 ` Petr Lautrbach
@ 2019-02-19 12:37 ` Dominick Grift
2019-02-19 12:40 ` Dominick Grift
0 siblings, 1 reply; 29+ messages in thread
From: Dominick Grift @ 2019-02-19 12:37 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: Paul Moore, Stephen Smalley, selinux
Petr Lautrbach <plautrba@redhat.com> writes:
> Dominick Grift <dac.override@gmail.com> writes:
>
>> Paul Moore <paul@paul-moore.com> writes:
>>
>>> On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift
>>> <dac.override@gmail.com> wrote:
>>>>
>>>> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
>>>> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley >
>>>> wrote:
>>>> > <snip>
>>>> >
>>>> > >
>>>> > > Oh, I see: scripts/selinux/install_policy.sh just invokes > >
>>>> checkpolicy
>>>> > > without specifying -U / --handle-unknown, so the policy > >
>>>> defaults to deny,
>>>> > > and that would indeed render dbus-daemon and systemd > >
>>>> broken with that
>>>> > > policy. Might be as simple to fix as passing -U allow.
>>>> >
>>>> > I have looked a litte into this and here are some >
>>>> observations:
>>>> >
>>>> > 1. You can boot mdp as-is in permissive mode if you use >
>>>> `checkpolicy` with `-U allow`
>>>> >
>>>> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
>>>> > `__default__:user_u` and an accompanying
>>>> > `/etc/selinux/dummy/contexts/failsafe_context` with
>>>> > `base_r:base_t` to boot mdp in enforcing
>>>
>>> Wow. I didn't expect we would get to this point so quickly.
>>>
>>> Originally my plan had been to just merge the mdp changes that
>>> Stephen
>>> submitted, and leave the rest for some other time. Although based
>>> on
>>> everything in this thread, it looks like we are really close to
>>> having
>>> something that you can build and boot without too many hacks.
>>>
>>>> > 3. There is an issue with checkpolicy and object_r:
>>>> >
>>>> > PAM libselinux clients such as `login` try to associate >
>>>> `object_r` with the tty and fail.
>>>> >
>>>> > if you try to append: `role object_r; role object_r types >
>>>> base_t;`
>>>> > to policy.conf and compile that with `checkpolicy` then the
>>>> > `roletype-rule` does *not* end up in the compiled policy for >
>>>> some
>>>> > reason.
>>>
>>> This sounds like a bug in checkpolicy ... ?
>>
>> Yes, looks like it
>>
>>>
>>>> > thus, you cannot log in because object_r:base_t is not > valid.
>>>> >
>>>> > To hack around this add `default_role * source` rules to >
>>>> policy.conf and recompile.
>>>> >
>>>> > This will allow you to log into the system locally in >
>>>> enforcing mode.
>>>> >
>>>> > 4. I also noticed that fedoras' ssh seems to hardcode >
>>>> `sshd_net_t`
>>>> > for its "privsep" functionality so, while untested, you >
>>>> probably
>>>> > need an `openssh_contexts` with `privsep_preauth=base_t`
>
> "sshd_net_t" is really hardcoded as a fallback but
> ssh_selinux_change_context("sshd_net_t"); is not a fatal operation.
> If it fails it just logs a debug message and the type of the process
> stays unaffected - by default it's sshd_t
>
> I believe that openssh_context is not necessary if you don't mind or
> want to use different type for privsep preauth sshd processes.
Thanks. So just a warning message. Might be possible to only log it if
debug is enabled?
>
>
>>> Petr, what's the deal with ssh on Fedora?
>>
>> I wonder whether it would be possible (and feasible) to not
>> transition on
>> privsep_preauth at all *unless* a privsep preauth type is specified
>> in
>> openssh_context.
>>
>> Currently it falls back to a hardcoded type to transition to if
>> openssh_contexts does not exist.
>>
>> Then again, i would not want to risk breaking or regressing some of
>> the nice
>> functionality openssh in fedora has for selinux. It's state is
>> currently
>> very good even compared to RHEL.
>
> I think it's feasible without a big risk.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1678695
>
>>>
>>>> The `install_policy.sh` script should probably also do a bash file
>>>> test for `checkpolicy` and fail gracefully if its not found
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
2019-02-19 12:37 ` Dominick Grift
@ 2019-02-19 12:40 ` Dominick Grift
0 siblings, 0 replies; 29+ messages in thread
From: Dominick Grift @ 2019-02-19 12:40 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: Paul Moore, Stephen Smalley, selinux
[-- Attachment #1: Type: text/plain, Size: 4630 bytes --]
On Tue, Feb 19, 2019 at 01:37:16PM +0100, Dominick Grift wrote:
> Petr Lautrbach <plautrba@redhat.com> writes:
>
> > Dominick Grift <dac.override@gmail.com> writes:
> >
> >> Paul Moore <paul@paul-moore.com> writes:
> >>
> >>> On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift
> >>> <dac.override@gmail.com> wrote:
> >>>>
> >>>> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick Grift wrote:
> >>>> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen Smalley >
> >>>> wrote:
> >>>> > <snip>
> >>>> >
> >>>> > >
> >>>> > > Oh, I see: scripts/selinux/install_policy.sh just invokes > >
> >>>> checkpolicy
> >>>> > > without specifying -U / --handle-unknown, so the policy > >
> >>>> defaults to deny,
> >>>> > > and that would indeed render dbus-daemon and systemd > >
> >>>> broken with that
> >>>> > > policy. Might be as simple to fix as passing -U allow.
> >>>> >
> >>>> > I have looked a litte into this and here are some >
> >>>> observations:
> >>>> >
> >>>> > 1. You can boot mdp as-is in permissive mode if you use >
> >>>> `checkpolicy` with `-U allow`
> >>>> >
> >>>> > 2. You need *at least* an `/etc/selinux/dummy/seusers` with
> >>>> > `__default__:user_u` and an accompanying
> >>>> > `/etc/selinux/dummy/contexts/failsafe_context` with
> >>>> > `base_r:base_t` to boot mdp in enforcing
> >>>
> >>> Wow. I didn't expect we would get to this point so quickly.
> >>>
> >>> Originally my plan had been to just merge the mdp changes that
> >>> Stephen
> >>> submitted, and leave the rest for some other time. Although based
> >>> on
> >>> everything in this thread, it looks like we are really close to
> >>> having
> >>> something that you can build and boot without too many hacks.
> >>>
> >>>> > 3. There is an issue with checkpolicy and object_r:
> >>>> >
> >>>> > PAM libselinux clients such as `login` try to associate >
> >>>> `object_r` with the tty and fail.
> >>>> >
> >>>> > if you try to append: `role object_r; role object_r types >
> >>>> base_t;`
> >>>> > to policy.conf and compile that with `checkpolicy` then the
> >>>> > `roletype-rule` does *not* end up in the compiled policy for >
> >>>> some
> >>>> > reason.
> >>>
> >>> This sounds like a bug in checkpolicy ... ?
> >>
> >> Yes, looks like it
> >>
> >>>
> >>>> > thus, you cannot log in because object_r:base_t is not > valid.
> >>>> >
> >>>> > To hack around this add `default_role * source` rules to >
> >>>> policy.conf and recompile.
> >>>> >
> >>>> > This will allow you to log into the system locally in >
> >>>> enforcing mode.
> >>>> >
> >>>> > 4. I also noticed that fedoras' ssh seems to hardcode >
> >>>> `sshd_net_t`
> >>>> > for its "privsep" functionality so, while untested, you >
> >>>> probably
> >>>> > need an `openssh_contexts` with `privsep_preauth=base_t`
> >
> > "sshd_net_t" is really hardcoded as a fallback but
> > ssh_selinux_change_context("sshd_net_t"); is not a fatal operation.
> > If it fails it just logs a debug message and the type of the process
> > stays unaffected - by default it's sshd_t
> >
> > I believe that openssh_context is not necessary if you don't mind or
> > want to use different type for privsep preauth sshd processes.
>
> Thanks. So just a warning message. Might be possible to only log it if
> debug is enabled?
Whoops sorry. I overlooked the remainder of your reply. Thanks for addressing.
>
> >
> >
> >>> Petr, what's the deal with ssh on Fedora?
> >>
> >> I wonder whether it would be possible (and feasible) to not
> >> transition on
> >> privsep_preauth at all *unless* a privsep preauth type is specified
> >> in
> >> openssh_context.
> >>
> >> Currently it falls back to a hardcoded type to transition to if
> >> openssh_contexts does not exist.
> >>
> >> Then again, i would not want to risk breaking or regressing some of
> >> the nice
> >> functionality openssh in fedora has for selinux. It's state is
> >> currently
> >> very good even compared to RHEL.
> >
> > I think it's feasible without a big risk.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1678695
> >
> >>>
> >>>> The `install_policy.sh` script should probably also do a bash file
> >>>> test for `checkpolicy` and fail gracefully if its not found
> >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH v3] scripts/selinux: add basic mls support to mdp
[not found] ` <CAB9W1A3Pef5pfAZ8UEvSQYvWA9oZTRNPvWFCHw8e9eqZsGvGWA@mail.gmail.com>
@ 2019-02-20 10:27 ` Petr Lautrbach
0 siblings, 0 replies; 29+ messages in thread
From: Petr Lautrbach @ 2019-02-20 10:27 UTC (permalink / raw)
To: selinux; +Cc: Paul Moore, Stephen D. Smalley, Petr Lautrbach, Stephen Smalley
Stephen Smalley <stephen.smalley@gmail.com> writes:
> On Tue, Feb 19, 2019, 8:21 AM Stephen Smalley
> <stephen.smalley@gmail.com
> wrote:
>
>> On Tue, Feb 19, 2019, 6:08 AM Dominick Grift
>> <dac.override@gmail.com
>> wrote:
>>
>>> On Mon, Feb 18, 2019 at 07:07:33PM -0500, Stephen Smalley
>>> wrote:
>>> > On Mon, Feb 18, 2019, 2:09 AM Dominick Grift
>>> > <dac.override@gmail.com
>>> wrote:
>>> >
>>> > > Paul Moore <paul@paul-moore.com> writes:
>>> > >
>>> > > > On Sat, Feb 16, 2019 at 7:12 AM Dominick Grift <
>>> dac.override@gmail.com>
>>> > > wrote:
>>> > > >>
>>> > > >> On Sat, Feb 16, 2019 at 01:04:12PM +0100, Dominick
>>> > > >> Grift wrote:
>>> > > >> > On Fri, Feb 15, 2019 at 02:48:45PM -0500, Stephen
>>> > > >> > Smalley wrote:
>>> > > >> > <snip>
>>> > > >> >
>>> > > >> > >
>>> > > >> > > Oh, I see: scripts/selinux/install_policy.sh just
>>> > > >> > > invokes
>>> > > checkpolicy
>>> > > >> > > without specifying -U / --handle-unknown, so the
>>> > > >> > > policy
>>> defaults to
>>> > > deny,
>>> > > >> > > and that would indeed render dbus-daemon and
>>> > > >> > > systemd broken
>>> with
>>> > > that
>>> > > >> > > policy. Might be as simple to fix as passing -U
>>> > > >> > > allow.
>>> > > >> >
>>> > > >> > I have looked a litte into this and here are some
>>> > > >> > observations:
>>> > > >> >
>>> > > >> > 1. You can boot mdp as-is in permissive mode if you
>>> > > >> > use
>>> `checkpolicy`
>>> > > with `-U allow`
>>> > > >> >
>>> > > >> > 2. You need *at least* an
>>> > > >> > `/etc/selinux/dummy/seusers` with
>>> > > >> > `__default__:user_u` and an accompanying
>>> > > >> > `/etc/selinux/dummy/contexts/failsafe_context` with
>>> > > >> > `base_r:base_t` to boot mdp in enforcing
>>> > > >
>>> > > > Wow. I didn't expect we would get to this point so
>>> > > > quickly.
>>> > > >
>>> > > > Originally my plan had been to just merge the mdp
>>> > > > changes that
>>> Stephen
>>> > > > submitted, and leave the rest for some other time.
>>> > > > Although based
>>> on
>>> > > > everything in this thread, it looks like we are really
>>> > > > close to
>>> having
>>> > > > something that you can build and boot without too many
>>> > > > hacks.
>>> > > >
>>> > > >> > 3. There is an issue with checkpolicy and object_r:
>>> > > >> >
>>> > > >> > PAM libselinux clients such as `login` try to
>>> > > >> > associate
>>> `object_r`
>>> > > with the tty and fail.
>>> > > >> >
>>> > > >> > if you try to append: `role object_r; role object_r
>>> > > >> > types
>>> base_t;`
>>> > > >> > to policy.conf and compile that with `checkpolicy`
>>> > > >> > then the
>>> > > >> > `roletype-rule` does *not* end up in the compiled
>>> > > >> > policy for some
>>> > > >> > reason.
>>> > > >
>>> > > > This sounds like a bug in checkpolicy ... ?
>>> > >
>>> > > Yes, looks like it
>>> > >
>>> >
>>> > I don't think so. object_r has always been handled
>>> > specially. The kernel
>>> > ignores the role-type definition for it and always exempts
>>> > contexts that
>>> > contain it from user-role, role-type, and user-range
>>> > restrictions. We
>>> > didn't use to include it in the policy at all; I think CIL
>>> > does but we
>>> only
>>> > generate a stub in the kernel policy with the role name and
>>> > value but no
>>> > types and the kernel ignores it. What exactly breaks with
>>> > pam_selinux?
>>> >
>>>
>>> Tried it again and this time I tried to run install_selinux.sh
>>> with
>>> selinux disabled (previously i did not bother to boot with
>>> selinux disabled)
>>>
>>> Now I think I see what you were seeing:
>>>
>>> 1. setfiles is called in install_selinux.sh but it does not
>>> relabel when
>>> selinux is disabled
>>>
>>
>> That's a bug in setfiles / libselinux selinux_restorecon. I
>> thought that
>> was fixed recently. If selinux is disabled, we should not
>> exclude
>> filesystem based on seclabel.
>>
>
> Was it never merged?
> https://lore.kernel.org/selinux/20180926151254.1794-1-sds@tycho.nsa.gov/
Apparently it was not merged. Since there was no objection, only a
LGTM
comment I've just merged it.
>
>>
>> 2. the system is misabeled and when you boot, that prompts an
>> autorelabel
>>> (don't what does that but maybe systemd) which ,for some
>>> reason, does not
>>> work either even though it looks like its doing something
>>> 3. system does not start properly (even in permissive mode)
>>> because it
>>> looks like systemd can't compute a valid context using the
>>> mislabeled
>>> /sbin/init
>>>
>>> This, i think, would address that:
>>>
>>> 1. dont try to run setfiles in install_selinux.sh because it
>>> does not
>>> work in the scenario where you run install_selinux.sh when
>>> selinux is
>>> disabled (audit actually prints an FS_RELABEL event but
>>> nothing is
>>> relabeled)
>>> 2. in /etc/selinux/config use SELINUX=permissive instead of
>>> SELINUX=enforcing (it needs to relabel in permissive mode in
>>> the next step)
>>> 3. echo '-F' > /.autorelabel
>>>
>>> When all is said and done I still hit the issue where I am not
>>> able to
>>> log into the system in enforcing mode:
>>>
>>> Feb 19 12:05:04 myguest login[1175]:
>>> pam_selinux(login:session): Setting
>>> file context "user_u:object_r:base_t" failed for /dev/ttyS0:
>>> Operation not
>>> supported
>>>
>>
>> Operation not supported means that the filesystem type isn't
>> configured
>> for labeling. Looks like mdp was never updated to include
>> devtmpfs among
>> other filesystems.
>>
>>
>>> >
>>> > > >
>>> > > >> > thus, you cannot log in because object_r:base_t is
>>> > > >> > not valid.
>>> > > >> >
>>> > > >> > To hack around this add `default_role * source` rules
>>> > > >> > to
>>> policy.conf
>>> > > and recompile.
>>> > > >> >
>>> > > >> > This will allow you to log into the system locally in
>>> > > >> > enforcing
>>> mode.
>>> > > >> >
>>> > > >> > 4. I also noticed that fedoras' ssh seems to hardcode
>>> `sshd_net_t`
>>> > > >> > for its "privsep" functionality so, while untested,
>>> > > >> > you probably
>>> > > >> > need an `openssh_contexts` with
>>> > > >> > `privsep_preauth=base_t`
>>> > > >
>>> > > > Petr, what's the deal with ssh on Fedora?
>>> > >
>>> > > I wonder whether it would be possible (and feasible) to
>>> > > not
>>> transition on
>>> > > privsep_preauth at all *unless* a privsep preauth type is
>>> > > specified in
>>> > > openssh_context.
>>> > >
>>> > > Currently it falls back to a hardcoded type to transition
>>> > > to if
>>> > > openssh_contexts does not exist.
>>> > >
>>> > > Then again, i would not want to risk breaking or
>>> > > regressing some of
>>> the
>>> > > nice
>>> > > functionality openssh in fedora has for selinux. It's
>>> > > state is
>>> currently
>>> > > very good even compared to RHEL.
>>> > >
>>> > > >
>>> > > >> The `install_policy.sh` script should probably also do
>>> > > >> a bash file
>>> test
>>> > > for `checkpolicy` and fail gracefully if its not found
>>> > >
>>> > > --
>>> > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D
>>> > > 2C7B 6B02
>>> > >
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> > > Dominick Grift
>>> > >
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B
>>> 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>
^ permalink raw reply [flat|nested] 29+ messages in thread
end of thread, other threads:[~2019-02-20 10:27 UTC | newest]
Thread overview: 29+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-15 14:50 [PATCH v3] scripts/selinux: add basic mls support to mdp Stephen Smalley
2019-02-15 15:00 ` Paul Moore
2019-02-15 15:03 ` Stephen Smalley
2019-02-15 15:05 ` Stephen Smalley
2019-02-15 15:18 ` Paul Moore
2019-02-15 15:25 ` Stephen Smalley
2019-02-15 15:37 ` Paul Moore
2019-02-15 15:40 ` Stephen Smalley
2019-02-15 16:52 ` Dominick Grift
2019-02-15 17:16 ` Stephen Smalley
2019-02-15 17:19 ` Dominick Grift
2019-02-15 17:24 ` Dominick Grift
2019-02-15 19:11 ` Paul Moore
2019-02-15 19:21 ` Dominick Grift
2019-02-15 19:30 ` Stephen Smalley
2019-02-15 19:36 ` Dominick Grift
2019-02-15 19:48 ` Stephen Smalley
2019-02-16 12:04 ` Dominick Grift
2019-02-16 12:12 ` Dominick Grift
2019-02-18 3:12 ` Paul Moore
2019-02-18 7:08 ` Dominick Grift
[not found] ` <CAB9W1A3f1jxJQPrU-o=gEKzgjRGmbThoqPvzbK7QNqprdE-LAw@mail.gmail.com>
2019-02-19 8:15 ` Dominick Grift
2019-02-19 11:08 ` Dominick Grift
[not found] ` <CAB9W1A2s+PcrC=fPXA9AYRm1oVYArsRCGKihM5mjUqnQtuLe3w@mail.gmail.com>
[not found] ` <CAB9W1A3Pef5pfAZ8UEvSQYvWA9oZTRNPvWFCHw8e9eqZsGvGWA@mail.gmail.com>
2019-02-20 10:27 ` Petr Lautrbach
2019-02-19 12:11 ` Petr Lautrbach
2019-02-19 12:37 ` Dominick Grift
2019-02-19 12:40 ` Dominick Grift
2019-02-15 16:50 ` Dominick Grift
2019-02-15 15:15 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).