All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] locallogin: fine tune DAC override permissions
@ 2017-04-27 23:45 Guido Trentalancia
  2017-04-29 15:31 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Guido Trentalancia @ 2017-04-27 23:45 UTC (permalink / raw)
  To: refpolicy

Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).

Thanks to Dominick Grift for suggesting this.

Other modules are likely affected by the same issue.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/locallogin.te |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/policy/modules/system/locallogin.te	2017-04-26 17:47:14.080423048 +0200
+++ b/policy/modules/system/locallogin.te	2017-04-28 01:33:10.287540604 +0200
@@ -216,7 +216,8 @@ optional_policy(`
 # Sulogin local policy
 #
 
-allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
+dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] locallogin: fine tune DAC override permissions
  2017-04-27 23:45 [refpolicy] [PATCH] locallogin: fine tune DAC override permissions Guido Trentalancia
@ 2017-04-29 15:31 ` Chris PeBenito
  2017-04-29 18:23   ` Guido Trentalancia
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2017-04-29 15:31 UTC (permalink / raw)
  To: refpolicy

On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote:
> Improve the locallogin module by curbing on dac_override permissions
> in the sulogin domain (read/search permissions only).
>
> Thanks to Dominick Grift for suggesting this.
>
> Other modules are likely affected by the same issue.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/locallogin.te |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/system/locallogin.te	2017-04-26 17:47:14.080423048 +0200
> +++ b/policy/modules/system/locallogin.te	2017-04-28 01:33:10.287540604 +0200
> @@ -216,7 +216,8 @@ optional_policy(`
>  # Sulogin local policy
>  #
>
> -allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
> +dontaudit sulogin_t self:capability dac_override;
> +allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
>  allow sulogin_t self:process setexec;
>  allow sulogin_t self:fd use;
>  allow sulogin_t self:fifo_file rw_fifo_file_perms;

Merged.  Unfortunately, since the dac_read_search was checked after 
dac_override for so long, this issue is possibly very prevalent in the 
policy.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] locallogin: fine tune DAC override permissions
  2017-04-29 15:31 ` Chris PeBenito
@ 2017-04-29 18:23   ` Guido Trentalancia
  0 siblings, 0 replies; 3+ messages in thread
From: Guido Trentalancia @ 2017-04-29 18:23 UTC (permalink / raw)
  To: refpolicy

Hello Christopher.

On Sat, 29/04/2017 at 11.31 -0400, Chris PeBenito wrote:
> On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote:
> > Improve the locallogin module by curbing on dac_override
> > permissions
> > in the sulogin domain (read/search permissions only).
> > 
> > Thanks to Dominick Grift for suggesting this.
> > 
> > Other modules are likely affected by the same issue.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/system/locallogin.te |????3 ++-
> > ?1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > --- a/policy/modules/system/locallogin.te	2017-04-26
> > 17:47:14.080423048 +0200
> > +++ b/policy/modules/system/locallogin.te	2017-04-28
> > 01:33:10.287540604 +0200
> > @@ -216,7 +216,8 @@ optional_policy(`
> > ?# Sulogin local policy
> > ?#
> > 
> > -allow sulogin_t self:capability { dac_override sys_admin
> > sys_tty_config };
> > +dontaudit sulogin_t self:capability dac_override;
> > +allow sulogin_t self:capability { dac_read_search sys_admin
> > sys_tty_config };
> > ?allow sulogin_t self:process setexec;
> > ?allow sulogin_t self:fd use;
> > ?allow sulogin_t self:fifo_file rw_fifo_file_perms;
> 
> Merged.??Unfortunately, since the dac_read_search was checked after?
> dac_override for so long, this issue is possibly very prevalent in
> the?
> policy.

We'll fix that with time. It shouldn't be given the highest priority,
in my opinion.

What I think should be given the highest priority is testing the whole
policy without the unconfined module.

After that, the second highest priority should be given, in my opinion,
to the user data confidentiality patch.

Then, we can tackle this dac_override/dac_read_search issue throughout
the rest of the policy.

I'll do my best in the future to keep in mind about this and eventually
provide improved policy.

Regards,

Guido

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-29 18:23 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-27 23:45 [refpolicy] [PATCH] locallogin: fine tune DAC override permissions Guido Trentalancia
2017-04-29 15:31 ` Chris PeBenito
2017-04-29 18:23   ` Guido Trentalancia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.