On 1/29/20 10:01 AM, Stephen Smalley wrote:
Remove restrictions in libsepol and checkpolicy that required all declared initial SIDs to be assigned a context. With this patch, it is possible to build and load a policy that drops the sid <sidname> <context> declarations for the unused initial SIDs. It is still required to retain the sid <sidname> declarations (in the flask definitions) in order to preserve the initial SID ordering/values. The unused initial SIDs can be renamed, e.g. to add an unused_ prefix or similar, if desired, since the names used in the policy are not stored in the kernel binary policy. In CIL policies, the (sid ...) and (sidorder (...)) statements must be left intact for compatibility but the (sidcontext ...) statements for the unused initial SIDs can be omitted after this change. With current kernels, if one removes an unused initial SID context from policy, builds policy with this change applied and loads the policy into the kernel, cat /sys/fs/selinux/initial_contexts/<sidname> will show the unlabeled context. With the kernel patch to remove unused initial SIDs, the /sys/fs/selinux/initial_contexts/<sidname> file will not be created for unused initial SIDs in the first place. NB If an unused initial SID was assigned a context different from the unlabeled context in existing policy, then it is not safe to remove that initial SID context from policy and reload policy on the running kernel that was booted with the original policy. This is because that kernel may have assigned that SID to various kernel objects already and those objects will then be treated as having the unlabeled context after the removal. In refpolicy, examples of such initial SIDs are the "fs" SID and the "sysctl" SID. Even though these initial SIDs are not directly used (in code) by the current kernel, their contexts are being applied to filesystems and sysctl files by policy and therefore the SIDs are being assigned to objects. NB The "sysctl" SID was in use by the kernel up until commit 8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc ("security/selinux: fix /proc/sys/ labeling) circa v2.6.39. Removing its context from policy will cause sysctl(2) or /proc/sys accesses to end up performing permission checks against the unlabeled context and likely encounter denials for kernels < 2.6.39. Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> --- v2 issues informational messages about missing initial SID contexts so that policy developers can detect unintended inconsistencies, and ensures that the entries are stripped before writing kernel policy rather than accepting them when reading. Something isn't quite right here though; I see the messages when compiling monolithic policy with checkpolicy but not with a modular build (even upon make validate) or semodule -v -i of a modified base module that removes some initial SID contexts.
Never mind. For modular build I was getting the messages while compiling the base module (just missed it in the output) and for semodule I needed to turn up verbosity sufficiently to get informational messages out of cil. So it works as expected AFAICT.