Re: [PATCH v4 2/2] selinux: generate flask headers during kernel build

[KaiGai Kohei <kaigai@xxxxxxxxxxxxx>]

Stephen Smalley wrote:
> There are several legacy permissions that are no longer used by SELinux.
> We could remove these from the kernel's classmap.h definitions without
> breaking anything (subsequent permissions would get mapped to policy
> values appropriately by the new logic), but removing them from the
> policy would be harder as it would break all kernels that predate these
> patches.  Thus, I'm not sure we benefit from removing them from
> classmap.h.
> 
> The unused permissions include:
> # LSM hook never merged to mainline
> file swapon
> # compat_net=1 checks
> socket { recv_msg send_msg }
> # Only added so that subsequent permissions (execmod) would get the same value as class file
> chr_file { execute_no_trans entrypoint }
> # Original socket controls; never merged to mainline
> tcp_socket { connectto newconn acceptfrom }
> # legacy network or compat_net=1 checks
> node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send }
> # legacy network or compat_net=1 checks
> netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> # Original socket controls; never merged to mainline - only connectto is used
> unix_stream_socket { newconn acceptfrom }
> # Patches merged prematurely by Fedora, never merged to mainline
> packet { flow_in flow_out }

It is just a report. I could not reach origin of the matter yet.

When I applies your patch as is, build, install and reboot,
I could not find any *obvious* matter (such as boot failed). Good.

Then, I modified the classmap.h for the test purpose.
The object classes and access vectors are ramdomized as the
attached claasmap.h.
This patch enables to map value of them using text identifier,
so we can expect it works fine independent from the order of
classes and access vectors.

Did you already remove the unused kernel permissions?

-- kernel boot messages
   :
Creating initial device nodes
plymouthd used greatest stack depth: 6532 bytes left
async/0 used greatest stack depth: 6284 bytes left
async/1 used greatest stack depth: 5828 bytes left
input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
type=1404 audit(1254231627.600:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
SELinux:  Permission module_request in class system not defined in policy.
SELinux: the above unknown classes and permissions will be allowed
type=1403 audit(1254231628.088:3): policy loaded auid=4294967295 ses=4294967295
type=1400 audit(1254231628.100:4): avc:  denied  { transition } for  pid=58 comm="init" path="/bin/plymouth" dev=rootfs ino=3512 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=process
type=1400 audit(1254231628.438:5): avc:  denied  { transition } for  pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:init_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=process
type=1400 audit(1254231628.458:6): avc:  denied  { entrypoint } for  pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:bin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
init used greatest stack depth: 5684 bytes left
init: Not being executed as init
------

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>

/* These definitions must match the definitions in av_permissions.h. */

#define COMMON_FILE_PERMS "mounton", "quotaon", "swapon", "execute", "rename", \
	    "link", "unlink", "append", "relabelto", "relabelfrom", "lock", \
	    "setattr", "getattr", "create", "write", "read", "ioctl"

#define COMMON_SOCK_PERMS "append", "bind", "connect", "listen", "accept", \
	"getopt", "setopt", "shutdown", "recvfrom", \
	"setattr", "lock", "relabelfrom", "relabelto", \
	"sendto", "recv_msg", "send_msg", "name_bind", \
	"ioctl", "read", "write", "create", "getattr"

struct security_class_mapping secclass_map[] = {
	{ "dir",
	  { COMMON_FILE_PERMS, "add_name", "remove_name",
	    "reparent", "search", "rmdir", "open", NULL } },
	{ "fd", { "use", NULL } },
	{ "lnk_file",
	  { COMMON_FILE_PERMS, NULL } },
	{ "chr_file",
	  { COMMON_FILE_PERMS,
	    "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
	{ "file",
	  { COMMON_FILE_PERMS,
	    "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
	{ "packet",
	  { "send", "recv", "relabelto", "flow_in", "flow_out",
	    "forward_in", "forward_out", NULL } },
	{ "blk_file",
	  { COMMON_FILE_PERMS, "open", NULL } },
	{ "sock_file",
	  { COMMON_FILE_PERMS, "open", NULL } },
	{ "fifo_file",
	  { COMMON_FILE_PERMS, "open", NULL } },
	{ "socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "tcp_socket",
	  { COMMON_SOCK_PERMS,
	    "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
	    NULL } },
	{ "udp_socket",
	  { COMMON_SOCK_PERMS,
	    "node_bind", NULL } },
	{ "rawip_socket",
	  { COMMON_SOCK_PERMS,
	    "node_bind", NULL } },
	{ "netlink_nflog_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "netlink_xfrm_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", NULL } },
	{ "netlink_selinux_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "netlink_audit_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
	    "nlmsg_tty_audit", NULL } },
	{ "netlink_ip6fw_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", NULL } },
	{ "netlink_dnrt_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "association",
	  { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
	{ "node",
	  { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
	    "rawip_recv", "rawip_send", "enforce_dest",
	    "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
	{ "netif",
	  {  "tcp_recv", "tcp_send", "udp_recv", "udp_send",
	     "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
	     "ingress", "egress", NULL } },
	{ "netlink_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "packet_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "key_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "unix_stream_socket",
	  { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
	  } },
	{ "unix_dgram_socket",
	  { COMMON_SOCK_PERMS, NULL
	  } },
	{ "sem",
	  { "create", "destroy", "getattr", "setattr", "read",
	    "write", "associate", "unix_read", "unix_write", NULL } },
	{ "msg", { "send", "receive", NULL } },
	{ "msgq",
	  { "create", "destroy", "getattr", "setattr", "read",
	    "write", "associate", "unix_read", "unix_write",
	    "enqueue", NULL } },
	{ "shm",
	  { "create", "destroy", "getattr", "setattr", "read",
	    "write", "associate", "unix_read", "unix_write", "lock",
	    NULL } },
	{ "ipc",
	  { "create", "destroy", "getattr", "setattr", "read",
	    "write", "associate", "unix_read", "unix_write", NULL } },
	{ "netlink_route_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", NULL } },
	{ "netlink_firewall_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", NULL } },
	{ "netlink_tcpdiag_socket",
	  { COMMON_SOCK_PERMS,
	    "nlmsg_read", "nlmsg_write", NULL } },
	{ "netlink_kobject_uevent_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "appletalk_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ "security",
	  { "compute_av", "compute_create", "compute_member",
	    "check_context", "load_policy", "compute_relabel",
	    "compute_user", "setenforce", "setbool", "setsecparam",
	    "setcheckreqprot", NULL } },
	{ "process",
	  { "fork", "transition", "sigchld", "sigkill",
	    "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
	    "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
	    "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
	    "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
	    "execmem", "execstack", "execheap", "setkeycreate",
	    "setsockcreate", NULL } },
	{ "system",
	  { "ipc_info", "syslog_read", "syslog_mod",
	    "syslog_console", "module_request", NULL } },
	{ "capability",
	  { "chown", "dac_override", "dac_read_search",
	    "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
	    "linux_immutable", "net_bind_service", "net_broadcast",
	    "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
	    "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
	    "sys_boot", "sys_nice", "sys_resource", "sys_time",
	    "sys_tty_config", "mknod", "lease", "audit_write",
	    "audit_control", "setfcap", NULL } },
	{ "filesystem",
	  { "mount", "remount", "unmount", "getattr",
	    "relabelfrom", "relabelto", "transition", "associate", "quotamod",
	    "quotaget", NULL } },
	{ "key",
	  { "view", "read", "write", "search", "link", "setattr", "create",
	    NULL } },
	{ "dccp_socket",
	  { COMMON_SOCK_PERMS,
	    "node_bind", "name_connect", NULL } },
	{ "memprotect", { "mmap_zero", NULL } },
	{ "peer", { "recv", NULL } },
	{ "capability2", { "mac_override", "mac_admin", NULL } },
	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
	{ "tun_socket",
	  { COMMON_SOCK_PERMS, NULL } },
	{ NULL }
  };