[refpolicy] [PATCH 5/7] Add socket and dccp_socket to socket_class_set

Nicolas Iooss nicolas.iooss at m4x.org
Tue Aug 26 13:22:15 EDT 2014


2014-08-25 17:07 GMT+02:00 Christopher J. PeBenito:
> On 8/23/2014 7:35 AM, Nicolas Iooss wrote:
>> ---
>>  policy/support/obj_perm_sets.spt | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
>> index 6e9131723cf4..5e8718a8be67 100644
>> --- a/policy/support/obj_perm_sets.spt
>> +++ b/policy/support/obj_perm_sets.spt
>> @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
>>  #
>>  # All socket classes.
>>  #
>> -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
>> -
>> +define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
> 
> I don't think we want to add socket to this set.  We need to be able to
> detect when there is generic socket class usage, as that means we need a
> kernel change and a corresponding new object class.
> 

I agree with this point of view, if "socket" class means "generic socket
which is never used in practice" (and which defines access vectors
common to all socket classes, as stated on the SELinux wiki [1]).

In fact, this patch comes from the old Debian patch to support systemd
[2].  It contained an awful amount of small changes not so much related
to systemd and the current Debian patches are much cleaner [3].  However
I applied the old patch on my Arch Linux policy to ease its development
and now I am splitting this patch in smaller patches which are much
easier to review (like the journald patches I sent a few days ago).

This is how I found this change, which made sense to me as socket and
dccp_socket are obviously in the socket class.  Moreover Fedora policy
also has socket and dccp_socket in socket_class_set [4].

Now that you said that "socket" should be used to detect new socket
class (if I understood correctly), there is something I no longer
understand in the current policy.  Why does contrib/mozilla.te contains
this? [5]

    allow mozilla_t self:socket create_socket_perms;

A quick "grep :socket -r policy" shows other domains allowed to use this
kind of socket.  Do you know where I could find a good documentation
about the socket class to understand why these allow rules are needed?

--
Nicolas


[1] http://www.selinuxproject.org/page/ObjectClassesPerms#common_socket
[2]
http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches/0100-systemd?id=b932d84a24c8edc07c95f92a96093e16bef043c8#n58
[3] http://anonscm.debian.org/cgit/selinux/refpolicy.git/tree/debian/patches
[4]
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/support/obj_perm_sets.spt?h=rawhide-base&id=f85b52d1c6805e9b0a8bd2a4a4332e66e4b52c00#n31
[5]
https://github.com/TresysTechnology/refpolicy-contrib/blob/21f961a147a9a08583825bdbe7cce43cf8fdc43d/mozilla.te#L80



More information about the refpolicy mailing list