Re: Question about independent SELinux policy module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/15/2018 01:59 PM, Javier Martinez Canillas wrote:
Hello Bill,


Hi all,

On 01/14/2018 10:44 PM, Roberts, William C wrote:


-----Original Message-----
From: Javier Martinez Canillas [mailto:javierm@xxxxxxxxxx]
Sent: Friday, January 12, 2018 2:46 AM
To: Lukas Vrabec <lvrabec@xxxxxxxxxx>
Cc: Tricca, Philip B <philip.b.tricca@xxxxxxxxx>; Roberts, William C
<william.c.roberts@xxxxxxxxx>; selinux@xxxxxxxxxxxxxxxxxxxxxxx; Sun, Yunying
<yunying.sun@xxxxxxxxx>; Jerry Snitselaar <jsnitsel@xxxxxxxxxx>
Subject: Re: Question about independent SELinux policy module

Sorry, forgot to add the other tpm2-{tss,tools,abrmd} package maintainers to cc.

On 01/12/2018 11:30 AM, Javier Martinez Canillas wrote:
Hello Lukas and SELinux team,

I maintain the tpm2-{tss,tools,abrmd} packages in Fedora, and a recent
upstream change [0] in tpm2-abrmd (using sockets instead of pipes to
pass open fd to the
clients) makes the daemon to die when staring in the D-Bus system bus.

This is because the tpm2-abrmd runs in the unconfined_service_t domain
and the D-bus daemon isn't allowed to read/write to sockets created by
processes in an unconfined domain.

The tpm2-abrmd upstream project ships a SELinux policy module [1] that
makes it work on Fedora, but the policy module has the following AV rule as a
workaround:

# This next bit doesn't belong here. It should be exposed through an #
interface likely from the dbus policy module.
gen_require(`
     type system_dbusd_t;
')
allow system_dbusd_t tabrmd_t:unix_stream_socket { read write };

The comment correctly points out that it should be instead an
interface in the D-Bus policy module, but neither Fedora's nor refpol
SELinux policy have such an interface for that particular AV rule.

I have created a tpm2-abrmd-selinux [2] package to ship the customized
SELinux policy in Fedora as explained in this wiki page [3]. But of
course, first that AV rule needs to be removed since it doesn't belong
to the tpm2-abrmd SELinux policy module.

So my question is what's the correct way to fix this? I'm very far
from being a SELinux expert so I don't know how to proceed.

I would imagine adding that missing interface into Fedora's policy would
be correct.  What is refpolicy doing, does it have such an interface?


As mentioned in my previous email, neither Fedora's nor refpolicy have this
interface. And yes, I would also expect the interface to be added in Fedora's
selinux-policy-contrib package.

I just first wanted to make sure that a) the interface is correct and the only
hack is where it's being added and b) questioning whether the tpm2-abrmd D-Bus
daemon shouldn't be modified instead to not require the rule in the first place.

Philip said that the reason why the tpm2-abrmd needs it, is that pass opened fds
through unix sockets. And that's something that it seems no other D-bus service
does (since otherwise an interface for the unix_stream_socket read write AV rule
would already exist in the in the D-Bus policy module).


Yep, it looks like you mentioned, tpm2-abrmd is passing opened fsd through unix sockets, and that's reason why this rules is needed.

We also don't have interface for it and it can be add, but then tpm2-abrmd SELinux security policy will be dependent on specific distribution policy.

I prefer fix on following PR:
https://github.com/intel/tpm2-abrmd/pull/299

With that said this touches on 2 things of SE Linux I don't know much about:
desktop/fedora and dbus


Yes, I'm not that familiar with neither D-Bus nor SELinux to be honest. That's
why I wanted the experts' opinions.

I wonder if the mainline SE Linux list would have any suggestions if no one
Here comes up with anything.


Could be, I preferred to first see how it could be solved with Fedora's SELinux
policy since there's a lot of delta with the upstream refpolicy anyways.


I've added Philip (tpm2-abrmd maintainer and author of the SELinux
policy) in case you have more questions about what the tpm2-abrmd is
doing and why needs the mentioned AV rule.

[0]: https://github.com/intel/tpm2-abrmd/commit/51a3c55d772b
[1]: https://github.com/intel/tpm2-abrmd/commit/b11194de8f40
[2]: https://github.com/martinezjavier/tpm2-abrmd-selinux
[3]: http://fedoraproject.org/wiki/SELinux/IndependentPolicy


Best regards,



--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux