On Fri, Feb 15, 2019 at 10:05 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 2/15/19 10:03 AM, Stephen Smalley wrote: > > On 2/15/19 10:00 AM, Paul Moore wrote: > >> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley <sds@xxxxxxxxxxxxx> > >> wrote: > >>> Add basic MLS policy support to mdp. Declares > >>> two sensitivities and two categories, defines > >>> mls constraints for all permissions requiring > >>> dominance (ala MCS), assigns the system-high > >>> level to initial SID contexts and the default user > >>> level, and assigns system-low level to filesystems. > >>> > >>> Also reworks the fs_use and genfscon rules to only > >>> generate rules for filesystems that are configured > >>> in the kernel. In some cases this depends on a specific > >>> config option for security xattrs, in other cases security > >>> xattrs are unconditionally supported by a given filesystem > >>> if the filesystem is enabled, and in some cases the filesystem > >>> is always enabled in the kernel. Dropped obsolete pseudo > >>> filesystems. > >>> > >>> NB The list of fs_use_* and genfscon rules emitted by mdp > >>> is very incomplete compared to refpolicy or Android sepolicy. > >>> We should probably expand it. > >>> > >>> Usage: > >>> scripts/selinux/mdp/mdp -m policy.conf file_contexts > >>> checkpolicy -M -o policy policy.conf > >>> > >>> Then install the resulting policy and file_contexts as usual. > >>> > >>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > >>> --- > >>> v3 fixes up the file contexts generation code to also use SYSTEMLOW and > >>> collapse down to a single fprintf call per line. > >>> scripts/selinux/mdp/mdp.c | 131 ++++++++++++++++++++++++++++++-------- > >>> 1 file changed, 103 insertions(+), 28 deletions(-) > >> > >> This is great Stephen, thanks for working on this - and rather quickly > >> too! For those who don't follow the GitHub issues, I just opened an > >> issue yesterday mentioning it would be nice to add MLS support to the > >> mdp tool. > >> > >> Are you planning to keep playing with this? I'm asking not because I > >> think it needs more work to be worthwhile, but rather I don't want to > >> merge something that you want to continue working on. If you are > >> happy with this latest patch I think it is okay to merge this into > >> selinux/next, even at this late stage, simply because it is not part > >> of a built kernel, but rather a developer's tool. > > > > No, I think I'm done for now unless you find a problem with it. Absent > > some compelling use case for mdp it is hard to justify spending any more > > time on it. > > Note however that the instructions in > Documentation/admin-guide/LSM/SELinux.rst just say to run > scripts/selinux/install_policy.sh and since that doesn't pass -m to mdp > or -M to checkpolicy, no one will use this support unless they do it all > by hand. Good point. I tend to think that modifying the script to build MLS support by default is probably a good thing, after all why go to the trouble of adding MLS support to mdp? Anyone have a strong opinion against this? Stephen, please feel free to submit a second patch adding support to the install_policy.sh script, but if you don't have time I'll get to that over the weekend. -- paul moore www.paul-moore.com
