Re: kernel/kernel.* diffs

"Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> · Mon, 09 Jun 2008 10:02:29 -0400

On Fri, 2008-05-23 at 10:34 -0400, Daniel J Walsh wrote:
> Mainly adding additional dontaudits for permissive domains.

> Subject: [PATCH] refpolicy: kernel_kernel changes
> --text follows this line--
> --- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-05-23 09:15:06.224337000 -0400
> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.if	2008-05-23 10:29:05.107838000 -0400
> @@ -1198,6 +1198,7 @@
>  	')
>  
>  	dontaudit $1 proc_type:dir list_dir_perms;
> +	dontaudit $1 proc_type:file getattr;
>  ')
>  
>  ########################################
> @@ -1768,6 +1769,7 @@
>  	')
>  
>  	dontaudit $1 sysctl_type:dir list_dir_perms;
> +	dontaudit $1 sysctl_type:file read_file_perms;
>  ')
>  
>  ########################################

These two violate the intention of the interface.

> --- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-05-23 09:15:06.211350000 -0400
> +++ serefpolicy-3.4.1/policy/modules/kernel/kernel.te	2008-05-23 10:27:34.127426000 -0400
> @@ -231,6 +231,7 @@
>  # Mount root file system.  Used when loading a policy
>  # from initrd, then mounting the root filesystem
>  fs_mount_all_fs(kernel_t)
> +fs_unmount_all_fs(kernel_t)
>  
>  selinux_load_policy(kernel_t)
>  
> @@ -253,6 +254,8 @@
>  
>  mls_process_read_up(kernel_t)
>  mls_process_write_down(kernel_t)
> +mls_file_write_all_levels(kernel_t)
> +mls_file_read_all_levels(kernel_t) 
>  
>  ifdef(`distro_redhat',`
>  	# Bugzilla 222337

These are merged.

> @@ -372,3 +375,6 @@
>  allow kern_unconfined unlabeled_t:association *;
>  allow kern_unconfined unlabeled_t:packet *;
>  allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
> +
> +kernel_rw_all_sysctls(kern_unconfined)
> +

This one is redundant.  A few lines up is:

allow kern_unconfined sysctl_type:{ dir file } *;

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.