On 2/19/20 8:47 AM, Stephen Smalley wrote:
On 2/18/20 4:33 PM, Lukas Vrabec wrote:
I fully agree that we should merge commits from the refpolicy, which
removing unused permissions and classes. This should *NOT* break
anything.
Related to new permissions, we need to understand what are security
benefits of adding it to Fedora (and RHEL). The main goal is keep "good"
balance between usability and security (We cannot introduce any
regressions by adding policy features)
My suggestion is start with removing obsolete and unused
permissions/classes and after discussion (e.g here) we can start picking
some good candidate RFEs.
@Ondrej,
AFAIK, you prepared PR to remove unused classes and permissions, could
we merge it?
Caveat: Removing unused classes and permissions can break policy updates
when there are local or third party policy modules installed that were
built against the older refpolicy headers that still declared them and
potentially even allowed them. On the policy package update, any
references to the removed classes or permissions in the local or third
party policy module will fail to resolve, and semodule -B will fail.
Unfortunately since this is run from %post and not integrated via rpm
selinux plugin, the failure won't rollback the rpm transaction, so from
rpm's point of view, the updated policy package will be installed but
libsemanage will have rolled back to the old policy since it couldn't
resolve the classes/permissions. Only way to fix is to remove the
offending policy modules, update, recompile the offending policy modules
against the new headers, and then re-install them.
NB For a while, CIL treated unknown permissions as a non-fatal error to
avoid breakage in this kind of situation; this was changed in selinux
userspace commit dc4e54126bf25dea4d51820922ccd1959be68fbc ("
libsepol: Make an unknown permission an error in CIL") because otherwise
typos or other errors in policy could go undetected. I suppose Fedora
could introduce some kind of compatibility hack to try to avoid breakage
in these scenarios, but that would need to apply to both unknown classes
and permissions and in a manner that still detects real errors (maybe a
whitelist of known removed classes/permissions?).
For testsuite purposes, it is more crucial to add the new
classes/permissions so that the tests actually run than removing the
dead ones.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx