Paul Moore <paul@xxxxxxxxxxxxxx> writes: > On Fri, Feb 15, 2019 at 12:24 PM Dominick Grift <dac.override@xxxxxxxxx> wrote: >> Dominick Grift <dac.override@xxxxxxxxx> writes: >> > Stephen Smalley <sds@xxxxxxxxxxxxx> writes: >> > >> >> On 2/15/19 10:25 AM, Stephen Smalley wrote: >> >>> On 2/15/19 10:05 AM, Stephen Smalley wrote: >> >>>> On 2/15/19 10:03 AM, Stephen Smalley wrote: >> >>>>> On 2/15/19 10:00 AM, Paul Moore wrote: >> >>>>>> On Fri, Feb 15, 2019 at 9:51 AM Stephen Smalley >> >>>>>> <sds@xxxxxxxxxxxxx> wrote: >> >>>>>>> Add basic MLS policy support to mdp. Declares >> >>>>>>> two sensitivities and two categories, defines >> >>>>>>> mls constraints for all permissions requiring >> >>>>>>> dominance (ala MCS), assigns the system-high >> >>>>>>> level to initial SID contexts and the default user >> >>>>>>> level, and assigns system-low level to filesystems. >> >>>>>>> >> >>>>>>> Also reworks the fs_use and genfscon rules to only >> >>>>>>> generate rules for filesystems that are configured >> >>>>>>> in the kernel. In some cases this depends on a specific >> >>>>>>> config option for security xattrs, in other cases security >> >>>>>>> xattrs are unconditionally supported by a given filesystem >> >>>>>>> if the filesystem is enabled, and in some cases the filesystem >> >>>>>>> is always enabled in the kernel. Dropped obsolete pseudo >> >>>>>>> filesystems. >> >>>>>>> >> >>>>>>> NB The list of fs_use_* and genfscon rules emitted by mdp >> >>>>>>> is very incomplete compared to refpolicy or Android sepolicy. >> >>>>>>> We should probably expand it. >> >>>>>>> >> >>>>>>> Usage: >> >>>>>>> scripts/selinux/mdp/mdp -m policy.conf file_contexts >> >>>>>>> checkpolicy -M -o policy policy.conf >> >>>>>>> >> >>>>>>> Then install the resulting policy and file_contexts as usual. >> >>>>>>> >> >>>>>>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >> >>>>>>> --- >> >>>>>>> v3 fixes up the file contexts generation code to also use >> >>>>>>> SYSTEMLOW and >> >>>>>>> collapse down to a single fprintf call per line. >> >>>>>>> scripts/selinux/mdp/mdp.c | 131 >> >>>>>>> ++++++++++++++++++++++++++++++-------- >> >>>>>>> 1 file changed, 103 insertions(+), 28 deletions(-) >> >>>>>> >> >>>>>> This is great Stephen, thanks for working on this - and rather quickly >> >>>>>> too! For those who don't follow the GitHub issues, I just opened an >> >>>>>> issue yesterday mentioning it would be nice to add MLS support to the >> >>>>>> mdp tool. >> >>>>>> >> >>>>>> Are you planning to keep playing with this? I'm asking not because I >> >>>>>> think it needs more work to be worthwhile, but rather I don't want to >> >>>>>> merge something that you want to continue working on. If you are >> >>>>>> happy with this latest patch I think it is okay to merge this into >> >>>>>> selinux/next, even at this late stage, simply because it is not part >> >>>>>> of a built kernel, but rather a developer's tool. >> >>>>> >> >>>>> No, I think I'm done for now unless you find a problem with >> >>>>> it. Absent some compelling use case for mdp it is hard to justify >> >>>>> spending any more time on it. >> >>>> >> >>>> Note however that the instructions in >> >>>> Documentation/admin-guide/LSM/SELinux.rst just say to run >> >>>> scripts/selinux/install_policy.sh and since that doesn't pass -m to >> >>>> mdp or -M to checkpolicy, no one will use this support unless they >> >>>> do it all by hand. >> >>> >> >>> FWIW, a Fedora system wouldn't come up cleanly with this policy. >> >>> Partly appears to be due to systemd having embedded security >> >>> contexts specific to Fedora/refpolicy into its own configurations >> >>> and partly due to MLS denials. I don't even know if it would work >> >>> before this change though... >> >> >> >> Couldn't seem to get a mdp-generated policy to boot on Fedora even in >> >> permissive, before or after this change. I assume it has to do with >> >> leaking of contexts outside of the policy and/or missing config files >> >> from the dummy policy (e.g. /etc/selinux/targeted/contexts/ has >> >> systemd_contexts and other userspace config files that don't exist in >> >> the mdp policy). More evidence of the irrelevance of mdp... >> > >> > Oh, right you need a "dbus_contexts" file probably. DBUS refuses to >> > start without it, and these day's without dbus no system >> >> My dssp2-minimal [1] policy is my alternative to mdp. >> >> https://github.com/DefenSec/dssp2-minimal >> >> It is not quite as simple as mpd but it think it is decent balance >> between having something useful and still easy to read. > > While dssp2-minimal is much smaller than reference policy, it's still > an order of magnitude larger than the mdp generated policy. I'm not > sure if this is something you care about, but if you wanted to work on > getting mdp to the point where it would allow a Fedora system (or any > modern SELinux based system for that matter) to boot, that could be > useful, even if I'm not convinced it needs to be a priority at the > moment. It is also an order of magnitude more useful than mdp. I suppose I could look at what it would take to get it to boot on some rainy afternoon. Should not be hard, but i hesitate to polute mdp with user space access vectors. It feels like setting a precendent somehow. > > Besides, haven't you always wanted to get a patch accepted into the > kernel Dominick? ;) Not particularly, no. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
