[refpolicy] How to handle glibc-triggered behavior?

Dominick Grift dac.override at gmail.com
Fri Apr 3 15:44:53 UTC 2015


On Fri, Apr 03, 2015 at 03:47:52PM +0200, Miroslav Grepl wrote:
> On 01/12/2015 03:03 PM, Christopher J. PeBenito wrote:
> > t seem to be very concerning
> 
> We have
> 
> # /proc/sys/vm/overcommit_memory
> type sysctl_vm_overcommit_t, sysctl_type;
> genfscon proc /sys/vm/overcommit_memory
> gen_context(system_u:object_r:sysctl_vm_overcommit_t,s0)
> 
> and
> 
> kernel_read_vm_overcommit_sysctls(domain)
> 
> for this case in Fedora.

Provided that my sesearch output is accurate (sesearch does not work too well with CIL), i have:

sesearch -ASCT -s subject_type -d
Found 3 semantic av rules:
   allow subject_type rootfs_fs_t : dir { getattr open search } ; 
   allow subject_type systemd_t : process sigchld ; 
   allow subject_type shutdown_t : process sigchld ; 

subject_type is the equivalent of domain, and is a sub-set of:

# sesearch -ASCT -s subject_common_type -d
Found 23 semantic av rules:
   allow subject_common_type sysctl_t : dir { getattr open search } ; 
   allow subject_common_type vm_sysctl_t : dir { getattr open search } ; 
   allow subject_common_type vm_overcommit_sysctl_t : file { ioctl read getattr lock open } ; 
   allow subject_common_type invalid_t : dir { getattr open search } ; 
   allow subject_common_type config_t : dir { getattr open search } ; 
   allow subject_common_type data_t : dir { getattr open search } ; 
   allow subject_common_type devtty_dev_t : chr_file { ioctl read write getattr lock append open } ; 
   allow subject_common_type null_dev_t : chr_file { ioctl read write getattr lock append open } ; 
   allow subject_common_type zero_dev_t : chr_file { ioctl read write getattr lock append open } ; 
   allow subject_common_type exec_t : dir { getattr open search } ; 
   allow subject_common_type exec_t : lnk_file { read getattr } ; 
   allow subject_common_type devtmpfs_fs_t : dir { getattr open search } ; 
   allow subject_common_type proc_fs_t : file { ioctl read getattr lock open } ; 
   allow subject_common_type proc_fs_t : dir { getattr open search } ; 
   allow subject_common_type proc_fs_t : lnk_file { read getattr } ; 
   allow subject_common_type sysfs_fs_t : dir { getattr open search } ; 
   allow subject_common_type securityfs_fs_t : filesystem getattr ; 
   allow subject_common_type libraries_object_type : file { ioctl read getattr execute open } ; 
   allow subject_common_type lib_t : dir { ioctl read getattr lock open search } ; 
   allow subject_common_type lib_t : lnk_file { read getattr } ; 
   allow subject_common_type textrel_shlib_t : file execmod ; 
   allow subject_common_type ld_so_t : file { ioctl read getattr execute open } ; 
   allow subject_common_type ld_so_cache_t : file { ioctl read getattr lock open } ; 

This is what all the processes in my policy are associated with

So in practice it pretty much means that same when it comes to vm_overcommit compared to fedora

The difference with my policy is that i keep a "subject_type" for scenarios where one does not want the rules associated with subject_common_type, however unlikely that may seem

That is basically the only difference, i provide the flexibility for users of my policy to start a policy with really the bare minimum rules without breaking the model

Not because I think any of the rules associated with subject_common_type are dangerous, but just because i acknowledge that i cannot make that decision for users of my policy
and so to stay on the safe side i just built in this caveat

> 
> -- 
> Miroslav Grepl
> Software Engineering, SELinux Solutions
> Red Hat, Inc.
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150403/c9458f6a/attachment.bin 


More information about the refpolicy mailing list