Re: Updating security classes and access vectors in Fedora policy?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/19/20 3:01 PM, Stephen Smalley wrote:
> On 2/19/20 8:47 AM, Stephen Smalley wrote:
>> On 2/18/20 4:33 PM, Lukas Vrabec wrote:
>>> I fully agree that we should merge commits from the refpolicy, which
>>> removing unused permissions and classes. This should *NOT* break
>>> anything.
>>>
>>> Related to new permissions, we need to understand what are security
>>> benefits of adding it to Fedora (and RHEL). The main goal is keep "good"
>>> balance between usability and security (We cannot introduce any
>>> regressions by adding policy features)
>>>
>>> My suggestion is start with removing obsolete and unused
>>> permissions/classes and after discussion (e.g here) we can start picking
>>> some good candidate RFEs.
>>>
>>> @Ondrej,
>>> AFAIK, you prepared PR to remove unused classes and permissions, could
>>> we merge it?
>>
>> Caveat: Removing unused classes and permissions can break policy
>> updates when there are local or third party policy modules installed
>> that were built against the older refpolicy headers that still
>> declared them and potentially even allowed them.  On the policy
>> package update, any references to the removed classes or permissions
>> in the local or third party policy module will fail to resolve, and
>> semodule -B will fail. Unfortunately since this is run from %post and
>> not integrated via rpm selinux plugin, the failure won't rollback the
>> rpm transaction, so from rpm's point of view, the updated policy
>> package will be installed but libsemanage will have rolled back to the
>> old policy since it couldn't resolve the classes/permissions.  Only
>> way to fix is to remove the offending policy modules, update,
>> recompile the offending policy modules against the new headers, and
>> then re-install them.
> 
> NB For a while, CIL treated unknown permissions as a non-fatal error to
> avoid breakage in this kind of situation; this was changed in selinux
> userspace commit dc4e54126bf25dea4d51820922ccd1959be68fbc (" libsepol:
> Make an unknown permission an error in CIL") because otherwise typos or
> other errors in policy could go undetected.  I suppose Fedora could
> introduce some kind of compatibility hack to try to avoid breakage in
> these scenarios, but that would need to apply to both unknown classes
> and permissions and in a manner that still detects real errors (maybe a
> whitelist of known removed classes/permissions?).
> 
>>
>> For testsuite purposes, it is more crucial to add the new
>> classes/permissions so that the tests actually run than removing the
>> dead ones.
> 

Thank you for discussion, we need to wait for SELinux policy maintainer
and then we could follow up.

Thanks,
Lukas.

-- 
Lukas Vrabec
SELinux Evangelist,
Senior Software Engineer, Security Technologies
Red Hat, Inc.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux