Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Load security policies for LSMs #399

Open
WavyEbuilder opened this issue Oct 15, 2024 · 2 comments
Open

Load security policies for LSMs #399

WavyEbuilder opened this issue Oct 15, 2024 · 2 comments

Comments

@WavyEbuilder
Copy link

WavyEbuilder commented Oct 15, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
sysvinit, specifically here, and systemd, here and here, and openrc, here all load a security policy for SELinux. This is important, because without the loading of the policy before (for example) the reexec of init, init is given the wrong SELinux context, as the policy used by the system is not loaded by the time init is.

Describe the solution you'd like
It would be nice to have something similar in dinit to load the SELinux policy instead of requiring an initramfs to do so. Currently, unless the initramfs loads the selinux policy - typically with load_policy(8) - dinit cannot be used with SELinux (as the policy is not loaded before init is). This should require fairly minimal changes, however it will require dinit to rexec itself. This is because as init is responsible for loading the SELinux policy, it will need to be rexecuted to then be correctly labeled with the right context itself. Both the OpenRC and sysvinit init systems appear to rexec themselves, for example, in sysvinit:

if (selinux_init_load_policy(&enforce) == 0) {
        putenv("SELINUX_INIT=YES");
        execv(myname, argv);
}

However, systemd appears to transition itself to the new context with:

/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || !label) {
        log_open();
        log_error("Failed to compute init label, ignoring.");
} else {
        r = setcon_raw(label);

        log_open();
        if (r < 0)
                log_error("Failed to transition into init label '%s', ignoring.", label);
}

Both of those two approaches seem to work fine, are there any preferences on what route to take?

Ideally we want to load the policy as early as possible, for example note from the systemd source code:

/* Make sure we have no fds open while loading the policy and
 * transitioning */
log_close();

Additional context
If this is an acceptable proposal, I'd be happy to send a pr to implement it. I'm only really familiar with SELinux however, so I can only really confidently implement it for that. However, (and part of the reasoning for opening this issue), it would be nice to discuss the extent of the security policy to be loaded. For example, while sysvinit (rudimentary example) only loads an SELinux policy, it appears systemd loads a policy for SELinux, SMACK, and AppArmor. Would a helper function similar to systemd's initialize_security (as linked above) be desired?

Thank you for reading and your work on dinit, it is much appreciated.
@JeroenMathon
Copy link

I'm commenting just to tell you to fix your whitespace, this is painful to look at.

@WavyEbuilder
Copy link
Author

Copied badly, my apologies. Will edit now.

@WavyEbuilder WavyEbuilder mentioned this issue Oct 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JeroenMathon @WavyEbuilder