Stephen Smalley wrote: > There are several legacy permissions that are no longer used by SELinux. > We could remove these from the kernel's classmap.h definitions without > breaking anything (subsequent permissions would get mapped to policy > values appropriately by the new logic), but removing them from the > policy would be harder as it would break all kernels that predate these > patches. Thus, I'm not sure we benefit from removing them from > classmap.h. > > The unused permissions include: > # LSM hook never merged to mainline > file swapon > # compat_net=1 checks > socket { recv_msg send_msg } > # Only added so that subsequent permissions (execmod) would get the same value as class file > chr_file { execute_no_trans entrypoint } > # Original socket controls; never merged to mainline > tcp_socket { connectto newconn acceptfrom } > # legacy network or compat_net=1 checks > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send } > # legacy network or compat_net=1 checks > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } > # Original socket controls; never merged to mainline - only connectto is used > unix_stream_socket { newconn acceptfrom } > # Patches merged prematurely by Fedora, never merged to mainline > packet { flow_in flow_out } It is just a report. I could not reach origin of the matter yet. When I applies your patch as is, build, install and reboot, I could not find any *obvious* matter (such as boot failed). Good. Then, I modified the classmap.h for the test purpose. The object classes and access vectors are ramdomized as the attached claasmap.h. This patch enables to map value of them using text identifier, so we can expect it works fine independent from the order of classes and access vectors. Did you already remove the unused kernel permissions? -- kernel boot messages : Creating initial device nodes plymouthd used greatest stack depth: 6532 bytes left async/0 used greatest stack depth: 6284 bytes left async/1 used greatest stack depth: 5828 bytes left input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4 kjournald starting. Commit interval 5 seconds EXT3-fs: mounted filesystem with ordered data mode. type=1404 audit(1254231627.600:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 SELinux: Permission module_request in class system not defined in policy. SELinux: the above unknown classes and permissions will be allowed type=1403 audit(1254231628.088:3): policy loaded auid=4294967295 ses=4294967295 type=1400 audit(1254231628.100:4): avc: denied { transition } for pid=58 comm="init" path="/bin/plymouth" dev=rootfs ino=3512 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=process type=1400 audit(1254231628.438:5): avc: denied { transition } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:init_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=process type=1400 audit(1254231628.458:6): avc: denied { entrypoint } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:bin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file init used greatest stack depth: 5684 bytes left init: Not being executed as init ------ -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
/* These definitions must match the definitions in av_permissions.h. */ #define COMMON_FILE_PERMS "mounton", "quotaon", "swapon", "execute", "rename", \ "link", "unlink", "append", "relabelto", "relabelfrom", "lock", \ "setattr", "getattr", "create", "write", "read", "ioctl" #define COMMON_SOCK_PERMS "append", "bind", "connect", "listen", "accept", \ "getopt", "setopt", "shutdown", "recvfrom", \ "setattr", "lock", "relabelfrom", "relabelto", \ "sendto", "recv_msg", "send_msg", "name_bind", \ "ioctl", "read", "write", "create", "getattr" struct security_class_mapping secclass_map[] = { { "dir", { COMMON_FILE_PERMS, "add_name", "remove_name", "reparent", "search", "rmdir", "open", NULL } }, { "fd", { "use", NULL } }, { "lnk_file", { COMMON_FILE_PERMS, NULL } }, { "chr_file", { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, { "file", { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", "execmod", "open", NULL } }, { "packet", { "send", "recv", "relabelto", "flow_in", "flow_out", "forward_in", "forward_out", NULL } }, { "blk_file", { COMMON_FILE_PERMS, "open", NULL } }, { "sock_file", { COMMON_FILE_PERMS, "open", NULL } }, { "fifo_file", { COMMON_FILE_PERMS, "open", NULL } }, { "socket", { COMMON_SOCK_PERMS, NULL } }, { "tcp_socket", { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", "node_bind", "name_connect", NULL } }, { "udp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, { "rawip_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, { "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } }, { "netlink_xfrm_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_selinux_socket", { COMMON_SOCK_PERMS, NULL } }, { "netlink_audit_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", "nlmsg_tty_audit", NULL } }, { "netlink_ip6fw_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_dnrt_socket", { COMMON_SOCK_PERMS, NULL } }, { "association", { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, { "node", { "tcp_recv", "tcp_send", "udp_recv", "udp_send", "rawip_recv", "rawip_send", "enforce_dest", "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } }, { "netif", { "tcp_recv", "tcp_send", "udp_recv", "udp_send", "rawip_recv", "rawip_send", "dccp_recv", "dccp_send", "ingress", "egress", NULL } }, { "netlink_socket", { COMMON_SOCK_PERMS, NULL } }, { "packet_socket", { COMMON_SOCK_PERMS, NULL } }, { "key_socket", { COMMON_SOCK_PERMS, NULL } }, { "unix_stream_socket", { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL } }, { "unix_dgram_socket", { COMMON_SOCK_PERMS, NULL } }, { "sem", { "create", "destroy", "getattr", "setattr", "read", "write", "associate", "unix_read", "unix_write", NULL } }, { "msg", { "send", "receive", NULL } }, { "msgq", { "create", "destroy", "getattr", "setattr", "read", "write", "associate", "unix_read", "unix_write", "enqueue", NULL } }, { "shm", { "create", "destroy", "getattr", "setattr", "read", "write", "associate", "unix_read", "unix_write", "lock", NULL } }, { "ipc", { "create", "destroy", "getattr", "setattr", "read", "write", "associate", "unix_read", "unix_write", NULL } }, { "netlink_route_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_firewall_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_tcpdiag_socket", { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_kobject_uevent_socket", { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, { "security", { "compute_av", "compute_create", "compute_member", "check_context", "load_policy", "compute_relabel", "compute_user", "setenforce", "setbool", "setsecparam", "setcheckreqprot", NULL } }, { "process", { "fork", "transition", "sigchld", "sigkill", "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", "getattr", "setexec", "setfscreate", "noatsecure", "siginh", "setrlimit", "rlimitinh", "dyntransition", "setcurrent", "execmem", "execstack", "execheap", "setkeycreate", "setsockcreate", NULL } }, { "system", { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", "module_request", NULL } }, { "capability", { "chown", "dac_override", "dac_read_search", "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", "linux_immutable", "net_bind_service", "net_broadcast", "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", "sys_boot", "sys_nice", "sys_resource", "sys_time", "sys_tty_config", "mknod", "lease", "audit_write", "audit_control", "setfcap", NULL } }, { "filesystem", { "mount", "remount", "unmount", "getattr", "relabelfrom", "relabelto", "transition", "associate", "quotamod", "quotaget", NULL } }, { "key", { "view", "read", "write", "search", "link", "setattr", "create", NULL } }, { "dccp_socket", { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } }, { "memprotect", { "mmap_zero", NULL } }, { "peer", { "recv", NULL } }, { "capability2", { "mac_override", "mac_admin", NULL } }, { "kernel_service", { "use_as_override", "create_files_as", NULL } }, { "tun_socket", { COMMON_SOCK_PERMS, NULL } }, { NULL } };