On Wed, 2009-09-30 at 11:32 +0900, KaiGai Kohei wrote:
> Stephen Smalley wrote:
> > There are several legacy permissions that are no longer used by SELinux.
> > We could remove these from the kernel's classmap.h definitions without
> > breaking anything (subsequent permissions would get mapped to policy
> > values appropriately by the new logic), but removing them from the
> > policy would be harder as it would break all kernels that predate these
> > patches. Thus, I'm not sure we benefit from removing them from
> > classmap.h.
> >
> > The unused permissions include:
> > # LSM hook never merged to mainline
> > file swapon
> > # compat_net=1 checks
> > socket { recv_msg send_msg }
> > # Only added so that subsequent permissions (execmod) would get the same value as class file
> > chr_file { execute_no_trans entrypoint }
> > # Original socket controls; never merged to mainline
> > tcp_socket { connectto newconn acceptfrom }
> > # legacy network or compat_net=1 checks
> > node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send }
> > # legacy network or compat_net=1 checks
> > netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
> > # Original socket controls; never merged to mainline - only connectto is used
> > unix_stream_socket { newconn acceptfrom }
> > # Patches merged prematurely by Fedora, never merged to mainline
> > packet { flow_in flow_out }
>
> It is just a report. I could not reach origin of the matter yet.
>
> When I applies your patch as is, build, install and reboot,
> I could not find any *obvious* matter (such as boot failed). Good.
>
> Then, I modified the classmap.h for the test purpose.
> The object classes and access vectors are ramdomized as the
> attached claasmap.h.
> This patch enables to map value of them using text identifier,
> so we can expect it works fine independent from the order of
> classes and access vectors.
>
> Did you already remove the unused kernel permissions?
>
> -- kernel boot messages
> :
> Creating initial device nodes
> plymouthd used greatest stack depth: 6532 bytes left
> async/0 used greatest stack depth: 6284 bytes left
> async/1 used greatest stack depth: 5828 bytes left
> input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input4
> kjournald starting. Commit interval 5 seconds
> EXT3-fs: mounted filesystem with ordered data mode.
> type=1404 audit(1254231627.600:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
> SELinux: Permission module_request in class system not defined in policy.
> SELinux: the above unknown classes and permissions will be allowed
> type=1403 audit(1254231628.088:3): policy loaded auid=4294967295 ses=4294967295
> type=1400 audit(1254231628.100:4): avc: denied { transition } for pid=58 comm="init" path="/bin/plymouth" dev=rootfs ino=3512 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=process
> type=1400 audit(1254231628.438:5): avc: denied { transition } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:init_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=process
> type=1400 audit(1254231628.458:6): avc: denied { entrypoint } for pid=58 comm="init" path="/sbin/telinit" dev=sda5 ino=621655 scontext=system_u:object_r:bin_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file
> init used greatest stack depth: 5684 bytes left
> init: Not being executed as init
> ------
Oh, I see why. The security server internally uses a few class and
permission symbolic definitions (e.g. SECCLASS_PROCESS,
PROCESS__TRANSITION, ...), and it expects them to correspond to the
policy values rather than the kernel-private indices. So it needs to
instead use string_to_security_class() and string_to_av_perm() to look
them up. Easy enough to fix.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
