Internal usage of can_setenforce

[JugglerShu]

I have a question about the internal structure(attribute or types) in refpolicy.

I'm currently trying to create my own policy for a device, but not reusing refpolicy itself. What I'm doing so far is to create policy from scratch and try to borrow some idea from refpolicy as needed.

So I first tried to understand how permission to change selinux configuration is confined in refpolicy. I have just read policy/modules/kernel/selinux.te and selinux.if

My question is how 'can_setenforce' attribute is used in refpolicy? From my understanding, there is no statement that allows something to 'can_setenforce' attributes. What I could found is neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce This only says that types(domains) other than selinux_unconfined or can_setenforce never have right to setenforce.

In other words, my question is what the domain with 'can_setenforc' attribute can do in refpolicy?

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

On Wed, Nov 04, 2015 at 02:34:21AM -0800, JugglerShu wrote:

I have a question about the internal structure(attribute or types) in refpolicy.

I'm currently trying to create my own policy for a device, but not reusing refpolicy itself. What I'm doing so far is to create policy from scratch and try to borrow some idea from refpolicy as needed.

So I first tried to understand how permission to change selinux configuration is confined in refpolicy. I have just read policy/modules/kernel/selinux.te and selinux.if

My question is how 'can_setenforce' attribute is used in refpolicy? From my understanding, there is no statement that allows something to 'can_setenforce' attributes. What I could found is neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce This only says that types(domains) other than selinux_unconfined or can_setenforce never have right to setenforce.

In other words, my question is what the domain with 'can_setenforc' attribute can do in refpolicy?

process types that are associated with the selinux_unconfined_type, and can_setenforce type attributes are allowed the "setenforce" on security objects that are associated with the security_t type.

This permissive is required by for example the setenforce command or when you "echo 0 > /sys/fs/selinux/enforce"

---

Reply to this email directly or view it on GitHub: https://github.com/TresysTechnology/refpolicy/issues/14

---

02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2

iQGcBAEBCgAGBQJWOeCyAAoJENAR6kfG5xmcdLYMAIKFqqMUuwBasbetiBv2y3qU 2I1HS1U5O4UreRgZfzEbWM5J+RochQnFPtheRf7up5D9sWi/+k3Dwy/Seqb9k5sn g18b318SsuQxiN3kVuDZaluqVRDtwNLQtkoexlwnwYaO2evx7cjFyNyqeeKBHcxE +e7CrzIQxT6bS7bzLascEzEiG98s0jW9hPPebhvVSRvKyWYA4Ej1PDE9Jz8TIF2S aWBrfDj990ztIPpln+xmzSaiVo6aVg7f7QoOQm2MTwM8RhXpD29Y7hVVdyO4bFQC +cOOyxyPMTqe0bgKLpnCLDW31F7Ulk+KTCxvhwtAJ55Mq/R2GQtkJJRiAv9iHbOL IoUbwZ79AvY9cZluv/r0h0GNy+UNLrSp67VOl0sfdu+rYDouIARhKyzHYy95OzsG iLCJXjIbXoML1aHc7tL2tHnJdRDOUEebmVpapfCYmXBjomz8GHCuRRa6Ld8Q3y7w nHYS50G9pPPN+wVMSSJFNf4KtwV22l/XQCIr/ndcHg== =cJ0i -----END PGP SIGNATURE-----

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Let me try that again without the typos:

process types that are associated with the selinux_unconfined_type, or can_setenforce type attribute are allowed the "setenforce" permission on security objects that are associated with the security_t type. This permission is required by for example the setenforce command, or when you "echo 0 > /sys/fs/selinux/enforce"

---

02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2

iQGcBAEBCgAGBQJWOeEmAAoJENAR6kfG5xmc4ZYMAJ//MzljeIgD938i1LNygpDU PXgVaItZrIuRCvpD4nBKtXAHOqcqHiUltwBYFTpir6OQi7bmfbLPz5Ww3hj2A7rn dy6GAuvK0f0EeTo6zwaOkymJ7WDXajnq9HeX2mpICPcAY+EgU58hd9mcIxgsnSrN 6FyyIIuQ7eRFbuxCP/X6PIaZv0AIEYv1H+QI6VIDRRLpxcbIsYqXOuzLrHT8CylC PTsvPU2s4z5X2GZ9RGViK4YhNg9T8V8qHGRVEE1p4J1jt/xg3/Bt728sDliHo8ZL Vis9cIqY3ZxsEcORmXbPXV9Mjo5MvNd4tgxCt3Kx4QIi207uIz0Cs7QKRbd1d4Mg R//6UKLOFWXTc07LRYFhjIazGzJ4SZMfJhIYe9dicXu3XX209Az7SZ3LdvIaKkj6 w4ZlAvAMIkdoPAagcLOsdyFpqWY24nNIWRrllyxrOEQxctN8NZm5axrniVzvcOX7 HYxhwNUnajZyqIHiJXIe4PIB/4q8XX8MS7QXQiROWg== =U8WX -----END PGP SIGNATURE-----

[JugglerShu]

Yea I understand that but to make the following point

 can_setenforce type attribute are allowed the "setenforce" permission on security objects that are associated with the security_t type

I thought we need a allow statement like

allow can_setenforce security_t : security setenforce

but I couldn't find this kind of description.

Where is this defined?

What I found is the following statement in selinux.te

if(!secure_mode_policyload) {
    allow selinux_unconfined_type security_t:security { load_policy setenforce };
    allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
}

but this is only for selinux_unconfined_type not for can_setenforce.

Sorry if I'm asking something irrelevant.

[ghost]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

On Wed, Nov 04, 2015 at 03:56:35AM -0800, JugglerShu wrote:

Yea I understand that but to make the following point

 can_setenforce type attribute are allowed the "setenforce" permission on security objects that are associated with the security_t type

I thought we need a allow statement like

allow can_setenforce security_t : security setenforce

but I couldn't find this kind of description.

Where is this defined?

What I found is the following statement in selinux.te

if(!secure_mode_policyload) {
    allow selinux_unconfined_type security_t:security { load_policy setenforce };
    allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms;
}

but this is only for selinux_unconfined_type not for can_setenforce.

Sorry if I'm asking something irrelevant.

Yes that is implemented a bit weird but look that this from selinux.if:

interface(selinux_set_enforce_mode', gen_require(` type security_t; attribute can_setenforce; bool secure_mode_policyload; ')

dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;

if(!secure_mode_policyload) {
    allow $1 security_t:security setenforce;
}

')

calling selinux_set_enforce_mode() would allow the caller to "setenforce", because the caller is associated with "can_setenforce", and it has a rule that allows the caller the setenforce permission of security objects associated with type security_t.

Thus it passes the neverallow assertion.

I would probably have implemented this differently with CIL, but the above has similar results. It's just a bit more confusing.

---

Reply to this email directly or view it on GitHub: https://github.com/TresysTechnology/refpolicy/issues/14#issuecomment-153698387

---

02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788 Dominick Grift -----BEGIN PGP SIGNATURE----- Version: GnuPG v2

iQGcBAEBCgAGBQJWOfgHAAoJENAR6kfG5xmcB40MAMbTms0N+0wz273QZRbpTDdw bii1cCiskSxRwsrYVX1T5NLQHyIZUNT3DzyKcM1uQWF2iEifzxWXx9jZBzXnPxrj 0+9+68Xv7IH4O88hC09Oratm58pu2NbbCrK5uwJsv5UbEjrCGb3VYXcw7+T9dLjR 55yZOJ8ON32ykc/Dp6u2UU0jJlunAjGBBlB1Y50PXtk9MsofHoASo/gqBEnc7mM/ 04+BsNsNkkPf9e1MH4FW96k548fiJnBgo9XVmS2KeFhcCAPxQPt2pZDalxICjzE+ nezeSVlBD0CixzGQ49CjfJeiYmLVf0JP3DhrdtnrI6ei1thhaTQbPWjQWPML5xRc E39F82wNpEshN3nSuLV+3h7sOZuxvijTF0d3adM16yaERdFyD9a4jrCuFcEjqySC 58KfMxouBnLJpFxnMwsNoxcSJiz/5XrB470th/zgT2S4MV7rxkrFvlIAwvfdGHyd OYBuhCrrCjSaP2VLfhpViFrRWq/W+mpCChV4XmYtAA== =J+Xl -----END PGP SIGNATURE-----

[JugglerShu]

OK I got it.

So can_setenforce is just used to pass neverallow rule and actuall rule to allow to setenforce is rather directly set to the domain.

Thanks.

[ghost]

Could have done this like the following instead (which is probably cleaner as well):

# the macro in selinux.if
interface(`selinux_set_enforce_mode',`
    gen_require(` attribute can_setenforce; ')

    type_attribute $1 can_setenforce;
')

# the rules in selinux.te
dev_search_sysfs(can_setenforce)
allow can_setenforce security_t:dir list_dir_perms;
allow can_setenforce security_t:file rw_file_perms;

if(!secure_mode_policyload) {
allow { selinux_unconfined_type can_setenforce } security_t:security setenforce; 
}

# the call
selinux_set_enforce_mode(doverride)

[JugglerShu]

Yes that's what I expected in the .te and .if files. Anyway I understood how it is defined now. Thank you!

[ghost]

Yes my solution is also more efficient.

[pebenito]

Reopening as I'd like to revise the policy like @doverride 's suggestion.