On Fri, Feb 22, 2019 at 9:51 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 2/22/19 8:40 AM, Dominick Grift wrote: > > Stephen Smalley <sds@xxxxxxxxxxxxx> writes: > > > >> On 2/22/19 3:55 AM, Dominick Grift wrote: > >>> On Thu, Feb 21, 2019 at 04:31:47PM -0500, Stephen Smalley wrote: > >>>> Derived in part from a patch by Dominick Grift. > >>>> > >>>> The MDP example no longer works on modern systems. Fix it. > >>>> While we are at it, add MLS support and enable it. > >>>> > >>>> NB This still does not work on systems using dbus-daemon instead of > >>>> dbus-broker because dbus-daemon does not yet gracefully handle unknown > >>>> classes/permissions. This appears to be a deficiency in libselinux's > >>>> selinux_set_mapping() interface and underlying implementation, > >>>> which was never fully updated to deal with unknown classes/permissions > >>>> unlike the kernel. The same problem also occurs with XSELinux. > >>>> Programs that instead use selinux_check_access() like dbus-broker > >>>> should not have this problem. > >>>> > >>>> Changes to mdp: > >>>> Add support for devtmpfs, required by modern Linux distributions. > >>>> Add MLS support, with sample sensitivities, categories, and constraints. > >>>> Generate fs_use and genfscon rules based on kernel configuration. > >>>> Update list of filesystem types for fs_use and genfscon rules. > >>>> Use object_r for object contexts. > >>>> > >>>> Changes to install_policy.sh: > >>>> Bail immediately on any errors. > >>>> Provide more helpful error messages when unable to find userspace tools. > >>>> Refuse to run if SELinux is already enabled. > >>>> Unconditionally move aside /etc/selinux/config and create a new one. > >>>> Build policy with -U allow so that userspace object managers do not break. > >>>> Build policy with MLS enabled by default. > >>>> Create seusers, failsafe_context, and default_contexts for use by > >>>> pam_selinux / libselinux. > >>>> Create x_contexts for the SELinux X extension. > >>>> Create virtual_domain_context and virtual_image_context for libvirtd. > >>>> Set to permissive mode rather than enforcing to permit initial autorelabel. > >>>> Update the list of filesystem types to be relabeled. > >>>> Write -F to /.autorelabel to cause a forced autorelabel on reboot. > >>>> Drop broken attempt to relabel the /dev mountpoint directory. > >>>> > >>>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > >>>> --- ... > Ok, in that case I'm going to consider the v6 patch the final one unless > Paul has comments. No major comments from me, both you and Dominick really ran with this and I appreciate the effort. Merged into selinux/next, thanks guys. -- paul moore www.paul-moore.com
