From mboxrd@z Thu Jan  1 00:00:00 1970
From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 21 Feb 2011 10:40:10 -0500
Subject: [refpolicy] [patch 1/3] Implementation of system conf type
In-Reply-To: <1298180267.3098.11.camel@tesla.lan>
References: <4D5E95C1.9080805@redhat.com> <20110219095711.GA6270@siphos.be>
	<1298180267.3098.11.camel@tesla.lan>
Message-ID: <4D62875A.8060006@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2011 12:37 AM, Guido Trentalancia wrote:
> On Sat, 19/02/2011 at 10.57 +0100, Sven Vermeulen wrote:
>> On Fri, Feb 18, 2011 at 03:52:33PM +0000, Miroslav Grepl wrote:
>>> http://mgrepl.fedorapeople.org/F15/system_conf_implemantion_p1.patch
>>>
>>>      * Implementation of system conf type for manageable system 
>>> configuration files.
>>
>> Isn't a generic system configuration type a bit too broad for a security
>> policy? We already have etc_t.
> 
> I agree with Sven, it appears to be rather useless (at least for the use
> that is being made so far in the patches that have been posted) and it
> just introduces a redundancy of types.
> 
> But Sven, I believe this is stuff just intended for Fedora 15. It won't
> affect the rest of us. I don't even understand why it has been posted
> with the [PATCH] tag in the subject on this mailing list. Some stuff
> won't even build on refpolicy because there are missing bits (such as
> missing interfaces that have never been defined in refpolicy and that
> are only being used by Fedora as part of their customisations).
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

When you have a type a domain needs to write, you do not want that type
to be etc_t.  In this case several confined domains needs to be able to
write firewall rules, I believe.  If we give tools like
system-config-firewall the ability to write etc_t, it can replace
/etc/passwd and other key config files.  So an exploit can be used to
take over the entire machine, if we add a new type, then
system-config-firewall will only be allowed to write firewall rules and
not most files within the /etc tree.

We have lots of examples of this, for example net_conf_t for
/etc/resolv.conf.

As configuration tools move to a dbus/policykit config, you will see
more "config" files gather labels.  As we try to add domains for
confined administrator, you will also see types added.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1ih1kACgkQrlYvE4MpobOQtwCgxIxBkC7WtMV/uzUDiVercj5A
nAYAoKV6ywEHdiAwRPSheCN9nbOXmcuo
=mGAX
-----END PGP SIGNATURE-----