Updating security classes and access vectors in Fedora policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Fedora policy has a number of differences in its security_classes and access_vectors from current refpolicy, and neither are fully up to date with the kernel (but refpolicy is closer). One consequence of this is that parts of the selinux-testsuite do not run by default on Fedora (including rawhide) at present and still require manual patching by testers if they want to exercise all the tests.

Differences that I see include:

- refpolicy has added the watch* permissions exercised by the selinux-testsuite/tests/{notify,filesystem,fs_filesystem} tests. These were first defined in refpolicy by https://github.com/SELinuxProject/refpolicy/commit/c656b97a289ce6c2da2871700384f0f9d831be18 but there have been a series of subsequent commits (one to fix an ordering problem to better align with the kernel) and then allowing these new watch permissions as needed.

- refpolicy has added the perf_event class exercised by the selinux-testsuite/tests/perf_event tests. These were first defined in refpolicy by https://github.com/SELinuxProject/refpolicy/commit/624a63704c19a653486f37d11dc04bbe7d221f38.

- Neither refpolicy nor fedora have yet added the lockdown class exercised by selinux-testsuite/tests/lockdown. The kernel commit introducing this class is https://github.com/SELinuxProject/selinux-kernel/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331.

Other differences that don't directly affect the testsuite execution:

- Drop unused socket security classes, https://github.com/SELinuxProject/refpolicy/commit/4637cd6f898e95ffa95b2d089916d3987bc7d55f

- Remove unused permissions, https://github.com/SELinuxProject/refpolicy/commit/161bda392e61056ea22fe9862ad76c36ca8f35ca

- Remove entrypoint and execute_no_trans from chr_file, https://github.com/SELinuxProject/refpolicy/commit/8486b8aa83afa7abd94c9338e8845c2cbeb67f31

- remove flow_in and flow_out permissions from packet class, https://github.com/SELinuxProject/refpolicy/commit/f4459adf3242ed2dbc35e2125f55ec299378c04c

- Rename obsolete netlink_firewall_socket and netlink_ip6fw_socket classes, https://github.com/SELinuxProject/refpolicy/commit/5fd175fa453e995d8b7357b87403fbbeb4e54ea8

- Remove unused translate permission in context userspace class, https://github.com/SELinuxProject/refpolicy/commit/65da822c1b5c70bd1ff7eca645f5f9fd74fa949e

- Fedora policy has an "undefined" permission in its class system access vector, not present in refpolicy (some kind of compatibility hack?).

- Fedora policy has an "epolwakeup" permission in its class capability2 access vector, not present in refpolicy (old name for block_suspend, never included in an official kernel release, also not even correct originally - should have been epollwakeup).

- Fedora policy has "getnetgrp" and "shmemnetgrp" permissions in its class nscd access vector, not sure if those are used by glibc/ncsd code but if so should get added to refpolicy too.

- Fedora policy has a "proxy" class and access vector for "gssd", not present in refpolicy. If that's something that isn't Fedora-specific, it should probably get upstreamed to refpolicy although the class name isn't very descriptive.

- refpolicy has "db_exception" and "db_datatype" classes and access vectors for "Interbase/Firebird/Red Database", not present in Fedora. Don't know if that matters to Fedora.

- Various whitespace/comment cleanups in refpolicy not in Fedora.

- process2 is declared at a different place in security_classes in refpolicy versus Fedora. Doesn't really matter since kernel uses dynamic class/perm support and no fixed definition ever defined in libselinux/libsepol headers but might be good to align them for consistency.

NB The removals and renames may have some compatibility implications, e.g. a local or third party policy module built against the existing Fedora policy headers may have picked up dependencies on these classes/permissions and therefore may need to be rebuilt against the updated headers in order to still link successfully. This could break upon an update if those local or third party modules were installed at the time of the update since we'd fail on the semodule -B during %post, leaving the system with the old policy. rpm selinux support was supposed to fix that kind of thing by handling it via plugin and not from %post and rolling the package update back but never got adopted/used ;(
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux