Comments (5)
pcmoore
commented on July 23, 2024
FYI @wrabcak
from selinux.
stephensmalley
commented on July 23, 2024
pebenito took care of some of this for refpolicy via:
SELinuxProject/refpolicy@e5dbe75
SELinuxProject/refpolicy@c656b97
SELinuxProject/refpolicy@3952ecb
I just opened a PR for removing unused permissions in:
SELinuxProject/refpolicy#159
If/when that gets merged, I have another commit to remove the netlink_firewall and netlink_ip6fw classes that were removed from the kernel a while back but that could break legacy userspace object managers if not using dynamic class/perm support.
Looks like the ipc class is no longer used and could be dropped from both kernel and policy. It was a fallback in case we couldn't determine the finer-grained shm/sem/msgq class in older code.
Could then also re-order security_classes to match classmap.h order if desired, putting all kernel classes together at the beginning in the same order as the kernel to make the mapping the identity mapping. That also could break legacy userspace. Not strictly necessary but kind of nice if all the kernel classes were contiguous in policy.
FYI @WOnder93 @pebenito @jeffvanderstoep
from selinux.
stephensmalley
commented on July 23, 2024
SELinuxProject/refpolicy#161 removes the two obsolete netlink classes. This change unlike the previous one is likely not compatible with RHEL6 kernels, and could possibly impact userspace on RHEL7 if it still has any userspace object managers that use the old flask.h/av_permissions.h definitions for classes/perms instead of dynamically mapping them.
from selinux.
stephensmalley
commented on July 23, 2024
Amended SELinuxProject/refpolicy#161 to rename instead of remove to preserve userspace compatibility.
Given userspace compatibility constraints impacting even RHEL8 for dbus-daemon, don't think we can ever re-order security_classes to match classmap order, so dropping that as a goal for this issue.
So I think I can close this issue once the above PR is merged (or rejected).
from selinux.
stephensmalley
commented on July 23, 2024
refpolicy is now aligned to the kernel classes and access vector definitions aside from some class ordering issues (unfixable without breaking userspace) and not yet having recently added classes (perf_event, lockdown). It already has the watch permissions, unlike Fedora policy.
Some of the changes were already in Android policy and I submitted the rest just now so it should be aligned shortly unless they decide they cannot remove the chr_file:execute_no_trans/entrypoint and packet:flow_in/flow_out definitions compatibly. I'm going to close this issue as complete to the extent feasible today.
from selinux.
Related Issues (20)
- semanage_get_lock fails on NFSv4 filesystems HOT 1
- Python 3.11 support HOT 4
- manual setting HOT 2
- bad gpg signature HOT 4
- checkpolicy compilation error HOT 4
- selinux_restorecon.c comparison between signed and unsigned integer expressions
- Scope of boolean 'httpd_can_network_connect' & Django SELinux permissions
- libsepol:The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. HOT 4
- How Do I Select a Proper Number of Threads for Labeling? HOT 2
- Can use macro parameter for filecon path statment? HOT 1
- restore.c:(.text+0x229): undefined reference to `selinux_restorecon_parallel' HOT 1
- selinux-activate not working on RaspbianOS bullseye (version 11) HOT 1
- "semanage export" does not handle port definition modifications properly
- libselinux: off-by-one in setcon() family
- Question Regarding "semanage boolean": HOT 5
- Non-cached is_selinux_enabled() variant? HOT 1
- selinux 3.6 fails to compile against latest versions of musl HOT 1
- libselinux: selabel_digest -b x/media/db error HOT 1
- libsepol: new "all" op verifier in 3.6 does not check classcommon perms HOT 3
- Should ignoredirs apply to all subdirectories? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from selinux.