* [refpolicy] [PATCH] Improve tunable support for rw operations on noxattr fs / removable media
@ 2016-09-02 14:11 Guido Trentalancia
2016-09-02 22:26 ` Chris PeBenito
0 siblings, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2016-09-02 14:11 UTC (permalink / raw)
To: refpolicy
Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/system/userdomain.if | 45 +++++++++++++++++++-----------------
1 file changed, 24 insertions(+), 21 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-02 15:56:29.649686667 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-02 15:54:22.817915887 +0200
@@ -572,10 +572,30 @@ template(`userdom_common_user_template',
dev_read_mouse($1_t)
')
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_ttys($1_t)
')
+ tunable_policy(`user_write_removable',`
+ # Read/write floppies and other removable devices
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ # Read/write USB devices (e.g. external removable USB mass storage devices)
+ dev_rw_generic_usb_dev($1_t)
+ ',`
+ # Read floppies
+ storage_raw_read_removable_device($1_t)
+ # Read USB devices (e.g. external removable USB mass storage devices)
+ dev_read_generic_usb_dev($1_t)
+ ')
+
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
@@ -1013,26 +1058,16 @@ template(`userdom_unpriv_user_template',
files_exec_usr_files($1_t)
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
- ')
- ')
-
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
+ tunable_policy(`user_exec_noexattrfile',`
+ fs_exec_noxattr($1_t)
+ ')
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1214,13 +1249,6 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
optional_policy(`
postgresql_unconfined($1_t)
')
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-02 14:11 [refpolicy] [PATCH] Improve tunable support for rw operations on noxattr fs / removable media Guido Trentalancia
@ 2016-09-02 22:26 ` Chris PeBenito
2016-09-02 23:23 ` [refpolicy] [PATCH v2] " Guido Trentalancia
0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2016-09-02 22:26 UTC (permalink / raw)
To: refpolicy
On 09/02/16 10:11, Guido Trentalancia via refpolicy wrote:
> Improve the existing user domain template policy:
>
> - better support for the "user_rw_noexattrfile" boolean (enable
> write operations on filesystems that do not support extended
> attributes, such as FAT or cdrom filesystem);
> - add support for a new "user_exec_noexattrfile" boolean to
> control the execution of files from filesystems that do not
> support extended attributes (potentially dangerous);
> - add support for a new "user_write_removable" boolean which
> enables write operations on removable devices (such as
> external removable USB memory, USB mobile phones, etc).
>
> Note that devices might be removable but support extended
> attributes (Linux xattr filesystems on external USB mass storage
> devices), so two separate booleans are needed for optimal
> configuration flexibility.
>
> Writing to removable mass storage devices is a major cause of
> leakage of confidential information, so the new boolean defaults
> to false.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/system/userdomain.if | 45 +++++++++++++++++++-----------------
> 1 file changed, 24 insertions(+), 21 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-02 15:56:29.649686667 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-02 15:54:22.817915887 +0200
> @@ -572,10 +572,30 @@ template(`userdom_common_user_template',
> dev_read_mouse($1_t)
> ')
>
> + tunable_policy(`user_rw_noexattrfile',`
> + fs_manage_noxattr_fs_files($1_t)
> + fs_manage_noxattr_fs_dirs($1_t)
> + ',`
> + fs_read_noxattr_fs_files($1_t)
> + ')
> +
> tunable_policy(`user_ttyfile_stat',`
> term_getattr_all_ttys($1_t)
> ')
>
> + tunable_policy(`user_write_removable',`
> + # Read/write floppies and other removable devices
> + storage_raw_read_removable_device($1_t)
> + storage_raw_write_removable_device($1_t)
> + # Read/write USB devices (e.g. external removable USB mass storage devices)
> + dev_rw_generic_usb_dev($1_t)
> + ',`
> + # Read floppies
> + storage_raw_read_removable_device($1_t)
> + # Read USB devices (e.g. external removable USB mass storage devices)
> + dev_read_generic_usb_dev($1_t)
> + ')
> +
> optional_policy(`
> alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> @@ -1013,26 +1058,16 @@ template(`userdom_unpriv_user_template',
>
> files_exec_usr_files($1_t)
>
> - ifndef(`enable_mls',`
I think my only concern is removing it from this ifndef MLS. MLS
policies never want the raw access, with few exceptions.
> - fs_exec_noxattr($1_t)
> -
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - # Write floppies
> - storage_raw_read_removable_device($1_t)
> - storage_raw_write_removable_device($1_t)
> - ',`
> - storage_raw_read_removable_device($1_t)
> - ')
> - ')
> -
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> ',`
> kernel_dontaudit_read_ring_buffer($1_t)
> ')
>
> + tunable_policy(`user_exec_noexattrfile',`
> + fs_exec_noxattr($1_t)
> + ')
> +
> # Allow users to run TCP servers (bind to ports and accept connection from
> # the same domain and outside users) disabling this forces FTP passive mode
> # and may change other protocols
> @@ -1214,13 +1249,6 @@ template(`userdom_admin_user_template',`
> userdom_manage_user_home_content_sockets($1_t)
> userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
>
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - ',`
> - fs_read_noxattr_fs_files($1_t)
> - ')
> -
> optional_policy(`
> postgresql_unconfined($1_t)
> ')
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v2] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-02 22:26 ` Chris PeBenito
@ 2016-09-02 23:23 ` Guido Trentalancia
2016-09-05 14:32 ` Chris PeBenito
2016-09-05 16:58 ` [refpolicy] [PATCH v3] " Guido Trentalancia
0 siblings, 2 replies; 8+ messages in thread
From: Guido Trentalancia @ 2016-09-02 23:23 UTC (permalink / raw)
To: refpolicy
Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/system/userdomain.if | 52 +++++++++++++++++++++---------------
1 file changed, 31 insertions(+), 21 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-03 01:13:35.096191416 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-03 01:13:23.378041072 +0200
@@ -572,10 +572,37 @@ template(`userdom_common_user_template',
dev_read_mouse($1_t)
')
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_ttys($1_t)
')
+ ifndef(`enable_mls',`
+ tunable_policy(`user_write_removable',`
+ # Read/write floppies and other removable devices
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ ',`
+ # Read floppies
+ storage_raw_read_removable_device($1_t)
+ ')
+ ')
+
+ tunable_policy(`user_write_removable',`
+ # Read/write USB devices (e.g. external removable USB mass storage devices)
+ dev_rw_generic_usb_dev($1_t)
+ ',`
+ # Read USB devices (e.g. external removable USB mass storage devices)
+ dev_read_generic_usb_dev($1_t)
+ ')
+
+
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
@@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
files_exec_usr_files($1_t)
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
- ')
- ')
-
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
+ tunable_policy(`user_exec_noexattrfile',`
+ fs_exec_noxattr($1_t)
+ ')
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
optional_policy(`
postgresql_unconfined($1_t)
')
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v2] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-02 23:23 ` [refpolicy] [PATCH v2] " Guido Trentalancia
@ 2016-09-05 14:32 ` Chris PeBenito
2016-09-05 14:49 ` Guido Trentalancia
2016-09-05 16:53 ` Guido Trentalancia
2016-09-05 16:58 ` [refpolicy] [PATCH v3] " Guido Trentalancia
1 sibling, 2 replies; 8+ messages in thread
From: Chris PeBenito @ 2016-09-05 14:32 UTC (permalink / raw)
To: refpolicy
On 09/02/16 19:23, Guido Trentalancia wrote:
> Improve the existing user domain template policy:
>
> - better support for the "user_rw_noexattrfile" boolean (enable
> write operations on filesystems that do not support extended
> attributes, such as FAT or cdrom filesystem);
> - add support for a new "user_exec_noexattrfile" boolean to
> control the execution of files from filesystems that do not
> support extended attributes (potentially dangerous);
> - add support for a new "user_write_removable" boolean which
> enables write operations on removable devices (such as
> external removable USB memory, USB mobile phones, etc).
>
> Note that devices might be removable but support extended
> attributes (Linux xattr filesystems on external USB mass storage
> devices), so two separate booleans are needed for optimal
> configuration flexibility.
>
> Writing to removable mass storage devices is a major cause of
> leakage of confidential information, so the new boolean defaults
> to false.
>
> Disable raw access for MLS policies (thanks to Christoper
> PeBenito for suggesting this).
This doesn't compile for me as monolithic:
Compiling refpolicy policy.30
/usr/bin/checkpolicy -U deny policy.conf -o policy.30
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/roles/auditadm.te:9:ERROR 'unknown boolean
user_write_removable in conditional expression' at token
'user_write_removable' on line 181074:
#line 9
if (user_write_removable) {
policy/modules/roles/auditadm.te:9:ERROR 'illegal conditional
expression' at token '}' on line 181300:
#line 9
}
checkpolicy: error(s) encountered while parsing configuration
make: *** [Rules.monolithic:68: policy.30] Error 1
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/system/userdomain.if | 52 +++++++++++++++++++++---------------
> 1 file changed, 31 insertions(+), 21 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-03 01:13:35.096191416 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-03 01:13:23.378041072 +0200
> @@ -572,10 +572,37 @@ template(`userdom_common_user_template',
> dev_read_mouse($1_t)
> ')
>
> + tunable_policy(`user_rw_noexattrfile',`
> + fs_manage_noxattr_fs_files($1_t)
> + fs_manage_noxattr_fs_dirs($1_t)
> + ',`
> + fs_read_noxattr_fs_files($1_t)
> + ')
> +
> tunable_policy(`user_ttyfile_stat',`
> term_getattr_all_ttys($1_t)
> ')
>
> + ifndef(`enable_mls',`
> + tunable_policy(`user_write_removable',`
> + # Read/write floppies and other removable devices
> + storage_raw_read_removable_device($1_t)
> + storage_raw_write_removable_device($1_t)
> + ',`
> + # Read floppies
> + storage_raw_read_removable_device($1_t)
> + ')
> + ')
> +
> + tunable_policy(`user_write_removable',`
> + # Read/write USB devices (e.g. external removable USB mass storage devices)
> + dev_rw_generic_usb_dev($1_t)
> + ',`
> + # Read USB devices (e.g. external removable USB mass storage devices)
> + dev_read_generic_usb_dev($1_t)
> + ')
> +
> +
> optional_policy(`
> alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> @@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
>
> files_exec_usr_files($1_t)
>
> - ifndef(`enable_mls',`
> - fs_exec_noxattr($1_t)
> -
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - # Write floppies
> - storage_raw_read_removable_device($1_t)
> - storage_raw_write_removable_device($1_t)
> - ',`
> - storage_raw_read_removable_device($1_t)
> - ')
> - ')
> -
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> ',`
> kernel_dontaudit_read_ring_buffer($1_t)
> ')
>
> + tunable_policy(`user_exec_noexattrfile',`
> + fs_exec_noxattr($1_t)
> + ')
> +
> # Allow users to run TCP servers (bind to ports and accept connection from
> # the same domain and outside users) disabling this forces FTP passive mode
> # and may change other protocols
> @@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
> userdom_manage_user_home_content_sockets($1_t)
> userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
>
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - ',`
> - fs_read_noxattr_fs_files($1_t)
> - ')
> -
> optional_policy(`
> postgresql_unconfined($1_t)
> ')
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v2] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-05 14:32 ` Chris PeBenito
@ 2016-09-05 14:49 ` Guido Trentalancia
2016-09-05 16:53 ` Guido Trentalancia
1 sibling, 0 replies; 8+ messages in thread
From: Guido Trentalancia @ 2016-09-05 14:49 UTC (permalink / raw)
To: refpolicy
Hello Christopher.
I have just double-checked and version 2 compiles fine on latest
refpolicy git for me.
Can you please double-check ?
It is very strange... I don't know what to say.
Best regards,
Guido
On Mon, 05/09/2016 at 10.32 -0400, Chris PeBenito wrote:
> On 09/02/16 19:23, Guido Trentalancia wrote:
> >
> > Improve the existing user domain template policy:
> >
> > - better support for the "user_rw_noexattrfile" boolean (enable
> > ? write operations on filesystems that do not support extended
> > ? attributes, such as FAT or cdrom filesystem);
> > - add support for a new "user_exec_noexattrfile" boolean to
> > ? control the execution of files from filesystems that do not
> > ? support extended attributes (potentially dangerous);
> > - add support for a new "user_write_removable" boolean which
> > ? enables write operations on removable devices (such as
> > ? external removable USB memory, USB mobile phones, etc).
> >
> > Note that devices might be removable but support extended
> > attributes (Linux xattr filesystems on external USB mass storage
> > devices), so two separate booleans are needed for optimal
> > configuration flexibility.
> >
> > Writing to removable mass storage devices is a major cause of
> > leakage of confidential information, so the new boolean defaults
> > to false.
> >
> > Disable raw access for MLS policies (thanks to Christoper
> > PeBenito for suggesting this).
>
> This doesn't compile for me as monolithic:
>
>
> Compiling refpolicy policy.30
> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
> /usr/bin/checkpolicy:??loading policy configuration from policy.conf
> policy/modules/roles/auditadm.te:9:ERROR 'unknown boolean?
> user_write_removable in conditional expression' at token?
> 'user_write_removable' on line 181074:
> #line 9
> if (user_write_removable) {
> policy/modules/roles/auditadm.te:9:ERROR 'illegal conditional?
> expression' at token '}' on line 181300:
> #line 9
> }
> checkpolicy:??error(s) encountered while parsing configuration
> make: *** [Rules.monolithic:68: policy.30] Error 1
>
>
>
>
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/system/userdomain.if |???52 +++++++++++++++++++++
> > ---------------
> > ?1 file changed, 31 insertions(+), 21 deletions(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if
> > 2016-09-03 01:13:35.096191416 +0200
> > +++ refpolicy-git-06082016/policy/modules/system/userdomain.if
> > 2016-09-03 01:13:23.378041072 +0200
> > @@ -572,10 +572,37 @@ template(`userdom_common_user_template',
> > ? dev_read_mouse($1_t)
> > ? ')
> >
> > + tunable_policy(`user_rw_noexattrfile',`
> > + fs_manage_noxattr_fs_files($1_t)
> > + fs_manage_noxattr_fs_dirs($1_t)
> > + ',`
> > + fs_read_noxattr_fs_files($1_t)
> > + ')
> > +
> > ? tunable_policy(`user_ttyfile_stat',`
> > ? term_getattr_all_ttys($1_t)
> > ? ')
> >
> > + ifndef(`enable_mls',`
> > + tunable_policy(`user_write_removable',`
> > + # Read/write floppies and other removable
> > devices
> > + storage_raw_read_removable_device($1_t)
> > + storage_raw_write_removable_device($1_t)
> > + ',`
> > + # Read floppies
> > + storage_raw_read_removable_device($1_t)
> > + ')
> > + ')
> > +
> > + tunable_policy(`user_write_removable',`
> > + # Read/write USB devices (e.g. external removable
> > USB mass storage devices)
> > + dev_rw_generic_usb_dev($1_t)
> > + ',`
> > + # Read USB devices (e.g. external removable USB
> > mass storage devices)
> > + dev_read_generic_usb_dev($1_t)
> > + ')
> > +
> > +
> > ? optional_policy(`
> > ? alsa_home_filetrans_alsa_home($1_t, file,
> > ".asoundrc")
> > ? alsa_manage_home_files($1_t)
> > @@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
> >
> > ? files_exec_usr_files($1_t)
> >
> > - ifndef(`enable_mls',`
> > - fs_exec_noxattr($1_t)
> > -
> > - tunable_policy(`user_rw_noexattrfile',`
> > - fs_manage_noxattr_fs_files($1_t)
> > - fs_manage_noxattr_fs_dirs($1_t)
> > - # Write floppies
> > - storage_raw_read_removable_device($1_t)
> > - storage_raw_write_removable_device($1_t)
> > - ',`
> > - storage_raw_read_removable_device($1_t)
> > - ')
> > - ')
> > -
> > ? tunable_policy(`user_dmesg',`
> > ? kernel_read_ring_buffer($1_t)
> > ? ',`
> > ? kernel_dontaudit_read_ring_buffer($1_t)
> > ? ')
> >
> > + tunable_policy(`user_exec_noexattrfile',`
> > + fs_exec_noxattr($1_t)
> > + ')
> > +
> > ? # Allow users to run TCP servers (bind to ports and accept
> > connection from
> > ? # the same domain and outside users) disabling this forces
> > FTP passive mode
> > ? # and may change other protocols
> > @@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
> > ? userdom_manage_user_home_content_sockets($1_t)
> > ? userdom_user_home_dir_filetrans_user_home_content($1_t, {
> > dir file lnk_file fifo_file sock_file })
> >
> > - tunable_policy(`user_rw_noexattrfile',`
> > - fs_manage_noxattr_fs_files($1_t)
> > - fs_manage_noxattr_fs_dirs($1_t)
> > - ',`
> > - fs_read_noxattr_fs_files($1_t)
> > - ')
> > -
> > ? optional_policy(`
> > ? postgresql_unconfined($1_t)
> > ? ')
> >
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v2] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-05 14:32 ` Chris PeBenito
2016-09-05 14:49 ` Guido Trentalancia
@ 2016-09-05 16:53 ` Guido Trentalancia
1 sibling, 0 replies; 8+ messages in thread
From: Guido Trentalancia @ 2016-09-05 16:53 UTC (permalink / raw)
To: refpolicy
Hello Christopher.
I have finally managed to reproduce this.
Unfortunately, I have missed to include the changes to the
userdomain.te file (where the booleans are actually declared)...
I'll create a new version of the patch.
Thanks for your patience.
Best regards,
Guido
On Mon, 05/09/2016 at 10.32 -0400, Chris PeBenito wrote:
> On 09/02/16 19:23, Guido Trentalancia wrote:
> >
> > Improve the existing user domain template policy:
> >
> > - better support for the "user_rw_noexattrfile" boolean (enable
> > ? write operations on filesystems that do not support extended
> > ? attributes, such as FAT or cdrom filesystem);
> > - add support for a new "user_exec_noexattrfile" boolean to
> > ? control the execution of files from filesystems that do not
> > ? support extended attributes (potentially dangerous);
> > - add support for a new "user_write_removable" boolean which
> > ? enables write operations on removable devices (such as
> > ? external removable USB memory, USB mobile phones, etc).
> >
> > Note that devices might be removable but support extended
> > attributes (Linux xattr filesystems on external USB mass storage
> > devices), so two separate booleans are needed for optimal
> > configuration flexibility.
> >
> > Writing to removable mass storage devices is a major cause of
> > leakage of confidential information, so the new boolean defaults
> > to false.
> >
> > Disable raw access for MLS policies (thanks to Christoper
> > PeBenito for suggesting this).
>
> This doesn't compile for me as monolithic:
>
>
> Compiling refpolicy policy.30
> /usr/bin/checkpolicy -U deny policy.conf -o policy.30
> /usr/bin/checkpolicy:??loading policy configuration from policy.conf
> policy/modules/roles/auditadm.te:9:ERROR 'unknown boolean?
> user_write_removable in conditional expression' at token?
> 'user_write_removable' on line 181074:
> #line 9
> if (user_write_removable) {
> policy/modules/roles/auditadm.te:9:ERROR 'illegal conditional?
> expression' at token '}' on line 181300:
> #line 9
> }
> checkpolicy:??error(s) encountered while parsing configuration
> make: *** [Rules.monolithic:68: policy.30] Error 1
>
>
>
>
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/system/userdomain.if |???52 +++++++++++++++++++++
> > ---------------
> > ?1 file changed, 31 insertions(+), 21 deletions(-)
> >
> > --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if
> > 2016-09-03 01:13:35.096191416 +0200
> > +++ refpolicy-git-06082016/policy/modules/system/userdomain.if
> > 2016-09-03 01:13:23.378041072 +0200
> > @@ -572,10 +572,37 @@ template(`userdom_common_user_template',
> > ? dev_read_mouse($1_t)
> > ? ')
> >
> > + tunable_policy(`user_rw_noexattrfile',`
> > + fs_manage_noxattr_fs_files($1_t)
> > + fs_manage_noxattr_fs_dirs($1_t)
> > + ',`
> > + fs_read_noxattr_fs_files($1_t)
> > + ')
> > +
> > ? tunable_policy(`user_ttyfile_stat',`
> > ? term_getattr_all_ttys($1_t)
> > ? ')
> >
> > + ifndef(`enable_mls',`
> > + tunable_policy(`user_write_removable',`
> > + # Read/write floppies and other removable
> > devices
> > + storage_raw_read_removable_device($1_t)
> > + storage_raw_write_removable_device($1_t)
> > + ',`
> > + # Read floppies
> > + storage_raw_read_removable_device($1_t)
> > + ')
> > + ')
> > +
> > + tunable_policy(`user_write_removable',`
> > + # Read/write USB devices (e.g. external removable
> > USB mass storage devices)
> > + dev_rw_generic_usb_dev($1_t)
> > + ',`
> > + # Read USB devices (e.g. external removable USB
> > mass storage devices)
> > + dev_read_generic_usb_dev($1_t)
> > + ')
> > +
> > +
> > ? optional_policy(`
> > ? alsa_home_filetrans_alsa_home($1_t, file,
> > ".asoundrc")
> > ? alsa_manage_home_files($1_t)
> > @@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
> >
> > ? files_exec_usr_files($1_t)
> >
> > - ifndef(`enable_mls',`
> > - fs_exec_noxattr($1_t)
> > -
> > - tunable_policy(`user_rw_noexattrfile',`
> > - fs_manage_noxattr_fs_files($1_t)
> > - fs_manage_noxattr_fs_dirs($1_t)
> > - # Write floppies
> > - storage_raw_read_removable_device($1_t)
> > - storage_raw_write_removable_device($1_t)
> > - ',`
> > - storage_raw_read_removable_device($1_t)
> > - ')
> > - ')
> > -
> > ? tunable_policy(`user_dmesg',`
> > ? kernel_read_ring_buffer($1_t)
> > ? ',`
> > ? kernel_dontaudit_read_ring_buffer($1_t)
> > ? ')
> >
> > + tunable_policy(`user_exec_noexattrfile',`
> > + fs_exec_noxattr($1_t)
> > + ')
> > +
> > ? # Allow users to run TCP servers (bind to ports and accept
> > connection from
> > ? # the same domain and outside users) disabling this forces
> > FTP passive mode
> > ? # and may change other protocols
> > @@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
> > ? userdom_manage_user_home_content_sockets($1_t)
> > ? userdom_user_home_dir_filetrans_user_home_content($1_t, {
> > dir file lnk_file fifo_file sock_file })
> >
> > - tunable_policy(`user_rw_noexattrfile',`
> > - fs_manage_noxattr_fs_files($1_t)
> > - fs_manage_noxattr_fs_dirs($1_t)
> > - ',`
> > - fs_read_noxattr_fs_files($1_t)
> > - ')
> > -
> > ? optional_policy(`
> > ? postgresql_unconfined($1_t)
> > ? ')
> >
>
>
--
This message contains confidential information intended only for the use
of the addressee(s). If you are not the intended recipient, please
contact the sender by return e-mail and destroy all copies of the
original message.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v3] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-02 23:23 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-09-05 14:32 ` Chris PeBenito
@ 2016-09-05 16:58 ` Guido Trentalancia
2016-09-07 21:50 ` Chris PeBenito
1 sibling, 1 reply; 8+ messages in thread
From: Guido Trentalancia @ 2016-09-05 16:58 UTC (permalink / raw)
To: refpolicy
Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).
This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/system/userdomain.if | 52 +++++++++++++++++++++---------------
policy/modules/system/userdomain.te | 17 +++++++++++
2 files changed, 48 insertions(+), 21 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-05 18:53:56.396540537 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-04 15:49:21.924695791 +0200
@@ -572,10 +572,37 @@ template(`userdom_common_user_template',
dev_read_mouse($1_t)
')
+ tunable_policy(`user_rw_noexattrfile',`
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_dirs($1_t)
+ ',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
tunable_policy(`user_ttyfile_stat',`
term_getattr_all_ttys($1_t)
')
+ ifndef(`enable_mls',`
+ tunable_policy(`user_write_removable',`
+ # Read/write floppies and other removable devices
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ ',`
+ # Read floppies
+ storage_raw_read_removable_device($1_t)
+ ')
+ ')
+
+ tunable_policy(`user_write_removable',`
+ # Read/write USB devices (e.g. external removable USB mass storage devices)
+ dev_rw_generic_usb_dev($1_t)
+ ',`
+ # Read USB devices (e.g. external removable USB mass storage devices)
+ dev_read_generic_usb_dev($1_t)
+ ')
+
+
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
@@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
files_exec_usr_files($1_t)
- ifndef(`enable_mls',`
- fs_exec_noxattr($1_t)
-
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- # Write floppies
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- ',`
- storage_raw_read_removable_device($1_t)
- ')
- ')
-
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
kernel_dontaudit_read_ring_buffer($1_t)
')
+ tunable_policy(`user_exec_noexattrfile',`
+ fs_exec_noxattr($1_t)
+ ')
+
# Allow users to run TCP servers (bind to ports and accept connection from
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
@@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
- tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
- fs_manage_noxattr_fs_dirs($1_t)
- ',`
- fs_read_noxattr_fs_files($1_t)
- ')
-
optional_policy(`
postgresql_unconfined($1_t)
')
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.te 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.te 2016-09-03 21:44:56.594204315 +0200
@@ -43,6 +43,23 @@ gen_tunable(user_rw_noexattrfile, false)
## <desc>
## <p>
+## Allow user to execute files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_exec_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow user to write files on removable
+## devices (e.g. external USB memory
+## devices or floppies)
+## </p>
+## </desc>
+gen_tunable(user_write_removable, false)
+
+## <desc>
+## <p>
## Allow w to display everyone
## </p>
## </desc>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH v3] Improve tunable support for rw operations on noxattr fs / removable media
2016-09-05 16:58 ` [refpolicy] [PATCH v3] " Guido Trentalancia
@ 2016-09-07 21:50 ` Chris PeBenito
0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2016-09-07 21:50 UTC (permalink / raw)
To: refpolicy
On 09/05/16 12:58, Guido Trentalancia wrote:
> Improve the existing user domain template policy:
>
> - better support for the "user_rw_noexattrfile" boolean (enable
> write operations on filesystems that do not support extended
> attributes, such as FAT or cdrom filesystem);
> - add support for a new "user_exec_noexattrfile" boolean to
> control the execution of files from filesystems that do not
> support extended attributes (potentially dangerous);
> - add support for a new "user_write_removable" boolean which
> enables write operations on removable devices (such as
> external removable USB memory, USB mobile phones, etc).
>
> Note that devices might be removable but support extended
> attributes (Linux xattr filesystems on external USB mass storage
> devices), so two separate booleans are needed for optimal
> configuration flexibility.
>
> Writing to removable mass storage devices is a major cause of
> leakage of confidential information, so the new boolean defaults
> to false.
>
> Disable raw access for MLS policies (thanks to Christoper
> PeBenito for suggesting this).
>
> This new version of the patch correctly includes the definitions
> of the new booleans (by including the .te file differences).
Merged.
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
> policy/modules/system/userdomain.if | 52 +++++++++++++++++++++---------------
> policy/modules/system/userdomain.te | 17 +++++++++++
> 2 files changed, 48 insertions(+), 21 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-09-05 18:53:56.396540537 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-09-04 15:49:21.924695791 +0200
> @@ -572,10 +572,37 @@ template(`userdom_common_user_template',
> dev_read_mouse($1_t)
> ')
>
> + tunable_policy(`user_rw_noexattrfile',`
> + fs_manage_noxattr_fs_files($1_t)
> + fs_manage_noxattr_fs_dirs($1_t)
> + ',`
> + fs_read_noxattr_fs_files($1_t)
> + ')
> +
> tunable_policy(`user_ttyfile_stat',`
> term_getattr_all_ttys($1_t)
> ')
>
> + ifndef(`enable_mls',`
> + tunable_policy(`user_write_removable',`
> + # Read/write floppies and other removable devices
> + storage_raw_read_removable_device($1_t)
> + storage_raw_write_removable_device($1_t)
> + ',`
> + # Read floppies
> + storage_raw_read_removable_device($1_t)
> + ')
> + ')
> +
> + tunable_policy(`user_write_removable',`
> + # Read/write USB devices (e.g. external removable USB mass storage devices)
> + dev_rw_generic_usb_dev($1_t)
> + ',`
> + # Read USB devices (e.g. external removable USB mass storage devices)
> + dev_read_generic_usb_dev($1_t)
> + ')
> +
> +
> optional_policy(`
> alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> @@ -1013,26 +1065,16 @@ template(`userdom_unpriv_user_template',
>
> files_exec_usr_files($1_t)
>
> - ifndef(`enable_mls',`
> - fs_exec_noxattr($1_t)
> -
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - # Write floppies
> - storage_raw_read_removable_device($1_t)
> - storage_raw_write_removable_device($1_t)
> - ',`
> - storage_raw_read_removable_device($1_t)
> - ')
> - ')
> -
> tunable_policy(`user_dmesg',`
> kernel_read_ring_buffer($1_t)
> ',`
> kernel_dontaudit_read_ring_buffer($1_t)
> ')
>
> + tunable_policy(`user_exec_noexattrfile',`
> + fs_exec_noxattr($1_t)
> + ')
> +
> # Allow users to run TCP servers (bind to ports and accept connection from
> # the same domain and outside users) disabling this forces FTP passive mode
> # and may change other protocols
> @@ -1214,13 +1256,6 @@ template(`userdom_admin_user_template',`
> userdom_manage_user_home_content_sockets($1_t)
> userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
>
> - tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> - fs_manage_noxattr_fs_dirs($1_t)
> - ',`
> - fs_read_noxattr_fs_files($1_t)
> - ')
> -
> optional_policy(`
> postgresql_unconfined($1_t)
> ')
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.te 2016-08-06 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.te 2016-09-03 21:44:56.594204315 +0200
> @@ -43,6 +43,23 @@ gen_tunable(user_rw_noexattrfile, false)
>
> ## <desc>
> ## <p>
> +## Allow user to execute files on filesystems
> +## that do not have extended attributes (FAT, CDROM, FLOPPY)
> +## </p>
> +## </desc>
> +gen_tunable(user_exec_noexattrfile, false)
> +
> +## <desc>
> +## <p>
> +## Allow user to write files on removable
> +## devices (e.g. external USB memory
> +## devices or floppies)
> +## </p>
> +## </desc>
> +gen_tunable(user_write_removable, false)
> +
> +## <desc>
> +## <p>
> ## Allow w to display everyone
> ## </p>
> ## </desc>
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-09-07 21:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-02 14:11 [refpolicy] [PATCH] Improve tunable support for rw operations on noxattr fs / removable media Guido Trentalancia
2016-09-02 22:26 ` Chris PeBenito
2016-09-02 23:23 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-09-05 14:32 ` Chris PeBenito
2016-09-05 14:49 ` Guido Trentalancia
2016-09-05 16:53 ` Guido Trentalancia
2016-09-05 16:58 ` [refpolicy] [PATCH v3] " Guido Trentalancia
2016-09-07 21:50 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.