1351621 – Missing policy definitions

Bug 1351621 - Missing policy definitions

Summary: Missing policy definitions

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1368057
TreeView+	depends on / blocked

Reported:	2016-06-30 12:47 UTC by Daniel Walsh
Modified:	2016-09-15 21:13 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.13.1-200.fc25 selinux-policy-3.13.1-208.fc25
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-17 03:04:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Walsh 2016-06-30 12:47:24 UTC

Stephen Smalley reports 

Can't implement a selinux-testsuite test for this check until the
Fedora base policy defines the permission.  Ditto for various other
recently added classes and permissions, e.g. dmesg | grep SELinux
after boot on rawhide shows:
SELinux:  Permission validate_trans in class security not defined in
policy.
SELinux:  Permission module_load in class system not defined in policy.
SELinux:  Class cap_userns not defined in policy.
SELinux:  Class cap2_userns not defined in policy.
SELinux: the above unknown classes and permissions will be allowed

Need to merge in these changes from upstream

Comment 1 Jan Kurik 2016-07-26 04:37:53 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 2 Fedora Update System 2016-08-12 15:57:54 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-662487f8f1

Comment 3 Fedora Update System 2016-08-17 03:03:03 UTC

selinux-policy-3.13.1-208.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 4 Stephen Smalley 2016-08-17 16:57:05 UTC

We still seem to be missing module_load and validate_trans:
[ 2233.727092] SELinux:  Permission validate_trans in class security not defined in policy.
[ 2233.727099] SELinux:  Permission module_load in class system not defined in policy.

Both are defined in refpolicy, but it doesn't look like any allow rules have been added yet for them, so you may need to allow them to avoid breakage once defined.

When the caller uses init_module(2) to load the module from its own memory, SELinux against self, so the allow rule has the form allow X self:system module_load;.  This is equivalent to allow X self:capability sys_module;

When the caller uses finit_module(2) to load the module from an open file, SELinux checks against the file label, so the allow rule has the form allow X label_of_file:system module_load;, e.g. allow X modules_object_t:system module_load; allows loading kernel modules from /lib/modules but not other files.

The ultimate goal would be to convert userspace over to using finit_module(2) always when supported by the kernel, and then we could remove the allow X self:system rules and limit module loading to specific files.  Android uses this to limit module loading to read-only, verified partitions, for example.

Note You need to log in before you can comment on or make changes to this bug.