dinit icon indicating copy to clipboard operation
dinit copied to clipboard

Published 20 hours ago verified publisher icon davmac314

Load security policies for LSMs

Open WavyEbuilder opened this issue 4 months ago • 2 comments

Is your feature request related to a problem? Please describe. sysvinit, specifically here, and systemd, here and here, and openrc, here all load a security policy for SELinux. This is important, because without the loading of the policy before (for example) the reexec of init, init is given the wrong SELinux context, as the policy used by the system is not loaded by the time init is.

Describe the solution you'd like It would be nice to have something similar in dinit to load the SELinux policy instead of requiring an initramfs to do so. Currently, unless the initramfs loads the selinux policy - typically with load_policy(8) - dinit cannot be used with SELinux (as the policy is not loaded before init is). This should require fairly minimal changes, however it will require dinit to rexec itself. This is because as init is responsible for loading the SELinux policy, it will need to be rexecuted to then be correctly labeled with the right context itself. Both the OpenRC and sysvinit init systems appear to rexec themselves, for example, in sysvinit:

if (selinux_init_load_policy(&enforce) == 0) {
        putenv("SELINUX_INIT=YES");
        execv(myname, argv);
}

However, systemd appears to transition itself to the new context with:

/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
if (r < 0 || !label) {
        log_open();
        log_error("Failed to compute init label, ignoring.");
} else {
        r = setcon_raw(label);

        log_open();
        if (r < 0)
                log_error("Failed to transition into init label '%s', ignoring.", label);
}

Both of those two approaches seem to work fine, are there any preferences on what route to take?

Ideally we want to load the policy as early as possible, for example note from the systemd source code:

/* Make sure we have no fds open while loading the policy and
 * transitioning */
log_close();

Additional context If this is an acceptable proposal, I'd be happy to send a pr to implement it. I'm only really familiar with SELinux however, so I can only really confidently implement it for that. However, (and part of the reasoning for opening this issue), it would be nice to discuss the extent of the security policy to be loaded. For example, while sysvinit (rudimentary example) only loads an SELinux policy, it appears systemd loads a policy for SELinux, SMACK, and AppArmor. Would a helper function similar to systemd's initialize_security (as linked above) be desired?

Thank you for reading and your work on dinit, it is much appreciated.

WavyEbuilder avatar Oct 15 '24 13:10 WavyEbuilder