[refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors

[refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors

[Laurent Bigonville]

From: Laurent Bigonville <bigon@bigon.be>

---
 policy/modules/kernel/corecommands.if |    2 +-
 policy/modules/kernel/filesystem.if   |    2 +-
 policy/modules/kernel/kernel.if       |    6 +++---
 policy/modules/services/ssh.if        |    2 +-
 policy/modules/system/init.if         |    4 ++--
 policy/modules/system/libraries.if    |    4 ++--
 policy/modules/system/mount.if        |    2 +-
 policy/modules/system/unconfined.if   |    4 ++--
 8 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..6aea26e 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -51,7 +51,7 @@ interface(`corecmd_executable_file',`
 ## </param>
 #
 interface(`corecmd_bin_alias',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7c6b791..dbba365 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1790,7 +1790,7 @@ interface(`fs_manage_dos_files',`
 #
 # eventpollfs was changed to task SID 20060628
 interface(`fs_read_eventpollfs',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4bf45cb..cf7e492 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -299,7 +299,7 @@ interface(`kernel_dgram_send',`
 ## </param>
 #
 interface(`kernel_tcp_recvfrom',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -313,7 +313,7 @@ interface(`kernel_tcp_recvfrom',`
 ## </param>
 #
 interface(`kernel_udp_send',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -327,7 +327,7 @@ interface(`kernel_udp_send',`
 ## </param>
 #
 interface(`kernel_udp_recvfrom',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..057a197 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -582,7 +582,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
 ## </param>
 #
 interface(`ssh_tcp_connect',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..e608e05 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -670,7 +670,7 @@ interface(`init_dontaudit_use_fds',`
 ## </param>
 #
 interface(`init_udp_send',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -1359,7 +1359,7 @@ interface(`init_rw_script_pipes',`
 ## </param>
 #
 interface(`init_udp_send_script',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..b24ebed 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -503,7 +503,7 @@ interface(`libs_relabel_shared_libs',`
 ## </param>
 #
 interface(`lib_filetrans_shared_lib',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
@@ -532,5 +532,5 @@ interface(`lib_filetrans_shared_lib',`
 ## </param>
 #
 interface(`files_lib_filetrans_shared_lib',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4584457..2c7f07d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -126,7 +126,7 @@ interface(`mount_use_fds',`
 ## </param>
 #
 interface(`mount_send_nfs_client_request',`
-	refpolicywarn(`$0($*) has been deprecated.')
+	refpolicyerr(`$0($*) has been deprecated.')
 ')
 
 ########################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index db7aabb..74b171d 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -150,7 +150,7 @@ interface(`unconfined_domain',`
 ## </param>
 #
 interface(`unconfined_alias_domain',`
-	refpolicywarn(`$0($1) has been deprecated.')
+	refpolicyerr(`$0($1) has been deprecated.')
 ')
 
 ########################################
@@ -176,7 +176,7 @@ interface(`unconfined_alias_domain',`
 ## </param>
 #
 interface(`unconfined_execmem_alias_program',`
-	refpolicywarn(`$0($1) has been deprecated.')
+	refpolicyerr(`$0($1) has been deprecated.')
 ')
 
 ########################################
-- 
1.7.10.4

[refpolicy] [PATCH 2/3] user access to DOS files

[Laurent Bigonville]

From: Mika Pfl?ger <debian@mikapflueger.de>

Add a new boolean to grant users access to dosfs_t.
---
 policy/global_tunables              |    7 +++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..43cc19a 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to manage files on dosfs_t devices, usually removable media
+## </p>
+## </desc>
+gen_tunable(user_manage_dos_files,true)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e720dcd..0c96b65 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	tunable_policy(`user_manage_dos_files',`
+		fs_manage_dos_dirs($1_t)
+		fs_manage_dos_files($1_t)
+	')
+
 ')
 
 #######################################
-- 
1.7.10.4

[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

[Laurent Bigonville]

From: Mika Pfl?ger <debian@mikapflueger.de>

---
 policy/modules/system/iptables.te |    1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0646ee7..6f2fb69 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
 # Iptables local policy
 #
 
+kernel_request_load_module(iptables_t)
 allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
 dontaudit iptables_t self:capability sys_tty_config;
 allow iptables_t self:fifo_file rw_fifo_file_perms;
-- 
1.7.10.4

[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

[Guido Trentalancia]

On 04/09/2012 23:21, Laurent Bigonville wrote:
> From: Mika Pfl?ger <debian@mikapflueger.de>
>
> ---
>   policy/modules/system/iptables.te |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 0646ee7..6f2fb69 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
>   # Iptables local policy
>   #
>
> +kernel_request_load_module(iptables_t)
>   allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
>   dontaudit iptables_t self:capability sys_tty_config;
>   allow iptables_t self:fifo_file rw_fifo_file_perms;

Is this for IPv6 ? It was not recommended in NSA security guidelines. 
Has this now been changed ? If not, then perhaps it can be enclosed in 
tunable policy ?

Regards,

Guido

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 04/09/2012 23:21, Laurent Bigonville wrote:
> From: Mika Pfl?ger <debian@mikapflueger.de>
>
> Add a new boolean to grant users access to dosfs_t.
> ---
>   policy/global_tunables              |    7 +++++++
>   policy/modules/system/userdomain.if |    6 ++++++
>   2 files changed, 13 insertions(+)
>
> diff --git a/policy/global_tunables b/policy/global_tunables
> index 4705ab6..43cc19a 100644
> --- a/policy/global_tunables
> +++ b/policy/global_tunables
> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
>   ## </p>
>   ## </desc>
>   gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Allow users to manage files on dosfs_t devices, usually removable media
> +## </p>
> +## </desc>
> +gen_tunable(user_manage_dos_files,true)

In my opinion is good to have this as on option, but in a secure 
environment the default should be false for removable media.

> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index e720dcd..0c96b65 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
>   		# Allow making the stack executable via mprotect.
>   		allow $1_t self:process execstack;
>   	')
> +
> +	tunable_policy(`user_manage_dos_files',`
> +		fs_manage_dos_dirs($1_t)
> +		fs_manage_dos_files($1_t)
> +	')
> +
>   ')
>
>   #######################################
>

Regards,

Guido

[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

[Russell Coker]

On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
> > +kernel_request_load_module(iptables_t)
> >
> >   allow iptables_t self:capability { dac_read_search dac_override
> >net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
> >   allow iptables_t self:fifo_file rw_fifo_file_perms;
> 
> Is this for IPv6 ? It was not recommended in NSA security guidelines. 
> Has this now been changed ? If not, then perhaps it can be enclosed in 
> tunable policy ?

No, it happened on systems that didn't use any ip6tables commands.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 2/3] user access to DOS files

[Russell Coker]

On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
> > +## <desc>
> > +## <p>
> > +## Allow users to manage files on dosfs_t devices, usually removable
> > media +## </p>
> > +## </desc>
> > +gen_tunable(user_manage_dos_files,true)
> 
> In my opinion is good to have this as on option, but in a secure 
> environment the default should be false for removable media.

It's one setsebool command to make it "secure" in that regard.  I think that 
for most systems where you really don't want users reading files on FAT 
filesystems you won't have the ability to even mount them (remove USB ports 
etc).  For the majority of servers there will be no physical access by 
untrusted users.  For the majority of desktop systems such access will be 
desired and it's one more potential thing for less clueful people to cite as a 
reason for not using SE Linux if it doesn't work by default.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 2/3] user access to DOS files

[Dominick Grift]

On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
> On 04/09/2012 23:21, Laurent Bigonville wrote:
> > From: Mika Pfl?ger <debian@mikapflueger.de>
> >
> > Add a new boolean to grant users access to dosfs_t.
> > ---
> >   policy/global_tunables              |    7 +++++++
> >   policy/modules/system/userdomain.if |    6 ++++++
> >   2 files changed, 13 insertions(+)
> >
> > diff --git a/policy/global_tunables b/policy/global_tunables
> > index 4705ab6..43cc19a 100644
> > --- a/policy/global_tunables
> > +++ b/policy/global_tunables
> > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
> >   ## </p>
> >   ## </desc>
> >   gen_tunable(user_tcp_server,false)
> > +
> > +## <desc>
> > +## <p>
> > +## Allow users to manage files on dosfs_t devices, usually removable media
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_manage_dos_files,true)
> 
> In my opinion is good to have this as on option, but in a secure 
> environment the default should be false for removable media.

i would prefer the boolean to be fprefix userdom or userdomain instead
of user, because that it the module that declares this boolean.

Since the user is also allowed to manage dos dirs i would probably call
it: userdomain_manage_dos_content

as description i would use:

"Determine whether users can manage dosfs content."

> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index e720dcd..0c96b65 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
> >   		# Allow making the stack executable via mprotect.
> >   		allow $1_t self:process execstack;
> >   	')
> > +
> > +	tunable_policy(`user_manage_dos_files',`
> > +		fs_manage_dos_dirs($1_t)
> > +		fs_manage_dos_files($1_t)
> > +	')
> > +
> >   ')
> >
> >   #######################################
> >
> 
> Regards,
> 
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 05/09/2012 09:00, Dominick Grift wrote:
>
>
> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>
>>> Add a new boolean to grant users access to dosfs_t.
>>> ---
>>>    policy/global_tunables              |    7 +++++++
>>>    policy/modules/system/userdomain.if |    6 ++++++
>>>    2 files changed, 13 insertions(+)
>>>
>>> diff --git a/policy/global_tunables b/policy/global_tunables
>>> index 4705ab6..43cc19a 100644
>>> --- a/policy/global_tunables
>>> +++ b/policy/global_tunables
>>> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
>>>    ## </p>
>>>    ## </desc>
>>>    gen_tunable(user_tcp_server,false)
>>> +
>>> +## <desc>
>>> +## <p>
>>> +## Allow users to manage files on dosfs_t devices, usually removable media
>>> +## </p>
>>> +## </desc>
>>> +gen_tunable(user_manage_dos_files,true)
>>
>> In my opinion is good to have this as on option, but in a secure
>> environment the default should be false for removable media.
>
> i would prefer the boolean to be fprefix userdom or userdomain instead
> of user, because that it the module that declares this boolean.
>
> Since the user is also allowed to manage dos dirs i would probably call
> it: userdomain_manage_dos_content
>
> as description i would use:
>
> "Determine whether users can manage dosfs content."

I agree. And, in particular it's not "dos files" which can be confusing, 
but dos filesystems which is already perfectioned in Dominick's amendments.

>>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>>> index e720dcd..0c96b65 100644
>>> --- a/policy/modules/system/userdomain.if
>>> +++ b/policy/modules/system/userdomain.if
>>> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
>>>    		# Allow making the stack executable via mprotect.
>>>    		allow $1_t self:process execstack;
>>>    	')
>>> +
>>> +	tunable_policy(`user_manage_dos_files',`
>>> +		fs_manage_dos_dirs($1_t)
>>> +		fs_manage_dos_files($1_t)
>>> +	')
>>> +
>>>    ')
>>>
>>>    #######################################

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 05/09/2012 02:32, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
>>> +## <desc>
>>> +## <p>
>>> +## Allow users to manage files on dosfs_t devices, usually removable
>>> media +## </p>
>>> +## </desc>
>>> +gen_tunable(user_manage_dos_files,true)
>>
>> In my opinion is good to have this as on option, but in a secure
>> environment the default should be false for removable media.
>
> It's one setsebool command to make it "secure" in that regard.  I think that
> for most systems where you really don't want users reading files on FAT
> filesystems you won't have the ability to even mount them (remove USB ports
> etc).  For the majority of servers there will be no physical access by
> untrusted users.  For the majority of desktop systems such access will be
> desired and it's one more potential thing for less clueful people to cite as a
> reason for not using SE Linux if it doesn't work by default.

It depends in my opinion whether most desktops are "home" and "personal" 
desktops or "office" desktops...

I do not have such figure at hand now.

But for sure, with business networks being routinely or randomly 
monitored, one of the major source of leaks of confidential data from 
companies nowadays is removable media.

Best regards,

Guido

[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

[Guido Trentalancia]

On 05/09/2012 02:30, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
>>> +kernel_request_load_module(iptables_t)
>>>
>>>    allow iptables_t self:capability { dac_read_search dac_override
>>> net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
>>>    allow iptables_t self:fifo_file rw_fifo_file_perms;
>>
>> Is this for IPv6 ? It was not recommended in NSA security guidelines.
>> Has this now been changed ? If not, then perhaps it can be enclosed in
>> tunable policy ?
>
> No, it happened on systems that didn't use any ip6tables commands.

So, what is the module that it needs to load ?

Guido

[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

[Laurent Bigonville]

Le Wed, 05 Sep 2012 10:48:44 +0200,
Guido Trentalancia <guido@trentalancia.com> a ?crit :

> On 05/09/2012 02:30, Russell Coker wrote:
> > On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com>
> > wrote:
> >>> +kernel_request_load_module(iptables_t)
> >>>
> >>>    allow iptables_t self:capability { dac_read_search dac_override
> >>> net_admin net_raw }; dontaudit iptables_t self:capability
> >>> sys_tty_config; allow iptables_t self:fifo_file
> >>> rw_fifo_file_perms;
> >>
> >> Is this for IPv6 ? It was not recommended in NSA security
> >> guidelines. Has this now been changed ? If not, then perhaps it
> >> can be enclosed in tunable policy ?
> >
> > No, it happened on systems that didn't use any ip6tables commands.
> 
> So, what is the module that it needs to load ?

On my debian machine, running "iptables -vL" is automatically loading
iptable_filter, ip_tables, x_tables.

But anyway, it seems that iptables.te file on git master is already
containing that line (from 2009) a bit later in the code, so I guess
that patch can just be dropped.

Sorry for the noise,

Cheers

Laurent Bigonville

[refpolicy] [PATCH 2/3] user access to DOS files

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
> On 05/09/2012 09:00, Dominick Grift wrote:
>> 
>> 
>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>> 
>>>> Add a new boolean to grant users access to dosfs_t. --- 
>>>> policy/global_tunables              |    7 +++++++ 
>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files changed, 13
>>>> insertions(+)
>>>> 
>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> 
>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>> 
>>> In my opinion is good to have this as on option, but in a secure 
>>> environment the default should be false for removable media.
>> 
>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>> user, because that it the module that declares this boolean.
>> 
>> Since the user is also allowed to manage dos dirs i would probably call 
>> it: userdomain_manage_dos_content
>> 
>> as description i would use:
>> 
>> "Determine whether users can manage dosfs content."
> 
> I agree. And, in particular it's not "dos files" which can be confusing, 
> but dos filesystems which is already perfectioned in Dominick's
> amendments.
> 
>>>> diff --git a/policy/modules/system/userdomain.if
>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644 
>>>> --- a/policy/modules/system/userdomain.if +++
>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>> tunable_policy(`user_manage_dos_files',` +		fs_manage_dos_dirs($1_t) 
>>>> +		fs_manage_dos_files($1_t) +	') + ')
>>>> 
>>>> #######################################
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
I think all booleans should be off by default and then the distributions can
decide which booleans to turn on using the booleans.conf file.  This would
allow us one file to look at to see what is enabled.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBHUoMACgkQrlYvE4MpobMVPgCgwwQb/Vq1EYmSsagQNwF3iuTw
SasAn0ikgSzoEUB0TO9dU4tyS4oaifNz
=gc0X
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables              |    7 +++++++
>>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` +		fs_manage_dos_dirs($1_t)
>>>>> +		fs_manage_dos_files($1_t) +	') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file.  This would
> allow us one file to look at to see what is enabled.

Yes, exactly. At least until Reference Policy decides to ship a few 
official example booleans.conf configuration files in a separate 
directory, to resemble typical situations/environments such as the one 
already described as "personal", "home", "office" and so on.

Another possible point of failure with allowing by default filesystems 
for other OSes is given by the presence of multi-boot systems. On such 
systems, if one OS is compromised, it could in theory compromise the 
others too.

So, in theory (and in my opinion), it's not just a matter of preventing 
the mount of removable media, which as Russell Coker noted can be 
disabled elsewhere...

Regards,

Guido

[refpolicy] [PATCH v2 2/3] user access to DOS filesystems

[Laurent Bigonville]

From: Mika Pfl?ger <debian@mikapflueger.de>

Add a new boolean to grant users access to dosfs_t.
---
 policy/global_tunables              |    7 +++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..092df0b 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Determine whether users can manage dosfs content.
+## </p>
+## </desc>
+gen_tunable(userdomain_manage_dos_content,false)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e720dcd..949c738 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
 		# Allow making the stack executable via mprotect.
 		allow $1_t self:process execstack;
 	')
+
+	tunable_policy(`userdomain_manage_dos_content',`
+		fs_manage_dos_dirs($1_t)
+		fs_manage_dos_files($1_t)
+	')
+
 ')
 
 #######################################
-- 
1.7.10.4

[refpolicy] [PATCH v2 2/3] user access to DOS filesystems

[Christopher J. PeBenito]

On 09/05/12 11:50, Laurent Bigonville wrote:
> From: Mika Pfl??ger <debian@mikapflueger.de>
> 
> Add a new boolean to grant users access to dosfs_t.
> ---
>  policy/global_tunables              |    7 +++++++
>  policy/modules/system/userdomain.if |    6 ++++++
>  2 files changed, 13 insertions(+)
> 
> diff --git a/policy/global_tunables b/policy/global_tunables
> index 4705ab6..092df0b 100644
> --- a/policy/global_tunables
> +++ b/policy/global_tunables
> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
>  ## </p>
>  ## </desc>
>  gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Determine whether users can manage dosfs content.
> +## </p>
> +## </desc>
> +gen_tunable(userdomain_manage_dos_content,false)

This should be moved to the userdomain module, as its effect is only in that module.  Global tunables should only be used if the tunable is used in multiple modules.

> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index e720dcd..949c738 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
>  		# Allow making the stack executable via mprotect.
>  		allow $1_t self:process execstack;
>  	')
> +
> +	tunable_policy(`userdomain_manage_dos_content',`
> +		fs_manage_dos_dirs($1_t)
> +		fs_manage_dos_files($1_t)
> +	')
> +

This is too low level of a template for this access.  It should be moved to a higher level template such as userdom_common_user_template.  userdom_base_user_template is supposed to define the most minimal user.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files)

[Guido Trentalancia]

Hello Daniel.

Following your reflections, I have checked the current situation and I 
share the concerns, so I have created a patch which disables most 
tunable policy booleans (except network and the mcelog module as it 
deals amongst other things with CPU thermal events which can be related 
to hardware failures).

On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables              |    7 +++++++
>>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` +		fs_manage_dos_dirs($1_t)
>>>>> +		fs_manage_dos_files($1_t) +	') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file.  This would
> allow us one file to look at to see what is enabled.

Turn off all/most tunable policy booleans by default
in Reference Policy (except network).

They can be enabled on a per-distribution basis
and many of those that were enabled were somehow
risky as defaults.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---

diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
--- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te	Thu 
Aug 23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te	Thu 
Sep  6 10:56:21 2012
@@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true)
  ## print out usage and version information.
  ## </p>
  ## </desc>
-gen_tunable(mcelog_foreground, true)
+gen_tunable(mcelog_foreground, false)

  ## <desc>
  ## <p>
@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false)
  ## syslog option.
  ## </p>
  ## </desc>
-gen_tunable(mcelog_syslog, true)
+gen_tunable(mcelog_syslog, false)

  type mcelog_t;
  type mcelog_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/qemu.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
--- refpolicy-09062012-git-master/policy/modules/contrib/qemu.te	Thu Aug 
23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te 
Thu Sep  6 10:53:27 2012
@@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false)
  ## Allow qemu to use cifs/Samba file systems
  ## </p>
  ## </desc>
-gen_tunable(qemu_use_cifs, true)
+gen_tunable(qemu_use_cifs, false)

  ## <desc>
  ## <p>
@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false)
  ## Allow qemu to use nfs file systems
  ## </p>
  ## </desc>
-gen_tunable(qemu_use_nfs, true)
+gen_tunable(qemu_use_nfs, false)

  ## <desc>
  ## <p>
  ## Allow qemu to use usb devices
  ## </p>
  ## </desc>
-gen_tunable(qemu_use_usb, true)
+gen_tunable(qemu_use_usb, false)

  type qemu_exec_t;
  virt_domain_template(qemu)
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/rpc.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te
--- refpolicy-09062012-git-master/policy/modules/contrib/rpc.te	Thu Aug 
23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te 
Thu Sep  6 10:54:59 2012
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
  ## Allow gssd to read temp directory.  For access to kerberos tgt.
  ## </p>
  ## </desc>
-gen_tunable(allow_gssd_read_tmp, true)
+gen_tunable(allow_gssd_read_tmp, false)

  ## <desc>
  ## <p>
diff -pru 
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
--- 
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te	Thu 
Aug 23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te 
Thu Sep  6 10:54:20 2012
@@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa
  ## Allow spamd to read/write user home directories.
  ## </p>
  ## </desc>
-gen_tunable(spamd_enable_home_dirs, true)
+gen_tunable(spamd_enable_home_dirs, false)

  type spamassassin_t;
  type spamassassin_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/virt.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
--- refpolicy-09062012-git-master/policy/modules/contrib/virt.te	Thu Aug 
23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te 
Thu Sep  6 10:54:05 2012
@@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false)
  ## Allow virt to use usb devices
  ## </p>
  ## </desc>
-gen_tunable(virt_use_usb, true)
+gen_tunable(virt_use_usb, false)

  virt_domain_template(svirt)
  role system_r types svirt_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xen.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xen.te	Thu Aug 
23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te 
Thu Sep  6 10:54:41 2012
@@ -11,7 +11,7 @@ policy_module(xen, 1.12.0)
  ## Not required if using dedicated logical volumes for disk images.
  ## </p>
  ## </desc>
-gen_tunable(xend_run_blktap, true)
+gen_tunable(xend_run_blktap, false)

  ## <desc>
  ## <p>
@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true)
  ## Not required if using paravirt and no vfb.
  ## </p>
  ## </desc>
-gen_tunable(xend_run_qemu, true)
+gen_tunable(xend_run_qemu, false)

  ## <desc>
  ## <p>
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xguest.te 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te	Thu 
Aug 23 19:23:00 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te	Thu 
Sep  6 10:53:49 2012
@@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0)
  ## Allow xguest users to mount removable media
  ## </p>
  ## </desc>
-gen_tunable(xguest_mount_media, true)
+gen_tunable(xguest_mount_media, false)

  ## <desc>
  ## <p>
  ## Allow xguest to configure Network Manager
  ## </p>
  ## </desc>
-gen_tunable(xguest_connect_network, true)
+gen_tunable(xguest_connect_network, false)

  ## <desc>
  ## <p>
  ## Allow xguest to use blue tooth devices
  ## </p>
  ## </desc>
-gen_tunable(xguest_use_bluetooth, true)
+gen_tunable(xguest_use_bluetooth, false)

  role xguest_r;

diff -pru 
refpolicy-09062012-git-master/policy/modules/services/postgresql.te 
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
--- refpolicy-09062012-git-master/policy/modules/services/postgresql.te 
Thu Sep  6 10:50:18 2012
+++ 
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te 
Thu Sep  6 10:51:57 2012
@@ -23,7 +23,7 @@ gen_require(`
  ## Allow unprived users to execute DDL statement
  ## </p>
  ## </desc>
-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(sepgsql_enable_users_ddl, false)

  ## <desc>
  ## <p>
@@ -37,7 +37,7 @@ gen_tunable(sepgsql_transmit_client_labe
  ## Allow database admins to execute DML statement
  ## </p>
  ## </desc>
-gen_tunable(sepgsql_unconfined_dbadm, true)
+gen_tunable(sepgsql_unconfined_dbadm, false)

  type postgresql_t;
  type postgresql_exec_t;

[refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files)

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2012 07:14 AM, Guido Trentalancia wrote:
> Hello Daniel.
> 
> Following your reflections, I have checked the current situation and I
> share the concerns, so I have created a patch which disables most tunable
> policy booleans (except network and the mcelog module as it deals amongst
> other things with CPU thermal events which can be related to hardware
> failures).
> 
> On 05/09/2012 15:24, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>> 
>>>> 
>>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>> 
>>>>>> Add a new boolean to grant users access to dosfs_t. --- 
>>>>>> policy/global_tunables              |    7 +++++++ 
>>>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files
>>>>>> changed, 13 insertions(+)
>>>>>> 
>>>>>> diff --git a/policy/global_tunables b/policy/global_tunables
>>>>>> index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ 
>>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ 
>>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> 
>>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +##
>>>>>> Allow users to manage files on dosfs_t devices, usually removable
>>>>>> media +## </p> +## </desc>
>>>>>> +gen_tunable(user_manage_dos_files,true)
>>>>> 
>>>>> In my opinion is good to have this as on option, but in a secure 
>>>>> environment the default should be false for removable media.
>>>> 
>>>> i would prefer the boolean to be fprefix userdom or userdomain
>>>> instead of user, because that it the module that declares this
>>>> boolean.
>>>> 
>>>> Since the user is also allowed to manage dos dirs i would probably
>>>> call it: userdomain_manage_dos_content
>>>> 
>>>> as description i would use:
>>>> 
>>>> "Determine whether users can manage dosfs content."
>>> 
>>> I agree. And, in particular it's not "dos files" which can be
>>> confusing, but dos filesystems which is already perfectioned in
>>> Dominick's amendments.
>>> 
>>>>>> diff --git a/policy/modules/system/userdomain.if 
>>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65
>>>>>> 100644 --- a/policy/modules/system/userdomain.if +++ 
>>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ 
>>>>>> template(`userdom_base_user_template',` # Allow making the stack 
>>>>>> executable via mprotect. allow $1_t self:process execstack; ') +
>>>>>> + tunable_policy(`user_manage_dos_files',` +
>>>>>> fs_manage_dos_dirs($1_t) +        fs_manage_dos_files($1_t) +
>>>>>> ') + ')
>>>>>> 
>>>>>> #######################################
>>> 
>>> _______________________________________________ refpolicy mailing list 
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>> 
>> I think all booleans should be off by default and then the distributions
>> can decide which booleans to turn on using the booleans.conf file.  This
>> would allow us one file to look at to see what is enabled.
> 
> Turn off all/most tunable policy booleans by default in Reference Policy
> (except network).
> 
> They can be enabled on a per-distribution basis and many of those that were
> enabled were somehow risky as defaults.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> ---
> 
> diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te 
> --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te    Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
>  Thu Sep  6 10:56:21 2012 @@ -30,7 +30,7 @@
> gen_tunable(mcelog_exec_scripts, true) ## print out usage and version
> information. ## </p> ## </desc> -gen_tunable(mcelog_foreground, true) 
> +gen_tunable(mcelog_foreground, false)
> 
> ## <desc> ## <p> @@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ##
> syslog option. ## </p> ## </desc> -gen_tunable(mcelog_syslog, true) 
> +gen_tunable(mcelog_syslog, false)
> 
> type mcelog_t; type mcelog_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
> Thu Sep  6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network,
> false) ## Allow qemu to use cifs/Samba file systems ## </p> ## </desc> 
> -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false)
> 
> ## <desc> ## <p> @@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ##
> Allow qemu to use nfs file systems ## </p> ## </desc> 
> -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false)
> 
> ## <desc> ## <p> ## Allow qemu to use usb devices ## </p> ## </desc> 
> -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false)
> 
> type qemu_exec_t; virt_domain_template(qemu) diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu 
> Sep  6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow
> gssd to read temp directory.  For access to kerberos tgt. ## </p> ##
> </desc> -gen_tunable(allow_gssd_read_tmp, true) 
> +gen_tunable(allow_gssd_read_tmp, false)
> 
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
> 
- --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te    Thu
> Aug 23 19:23:00 2012 +++ 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
> 
Thu Sep  6 10:54:20 2012
> @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd
> to read/write user home directories. ## </p> ## </desc> 
> -gen_tunable(spamd_enable_home_dirs, true) 
> +gen_tunable(spamd_enable_home_dirs, false)
> 
> type spamassassin_t; type spamassassin_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
> Thu Sep  6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs,
> false) ## Allow virt to use usb devices ## </p> ## </desc> 
> -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false)
> 
> virt_domain_template(svirt) role system_r types svirt_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu 
> Sep  6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not
> required if using dedicated logical volumes for disk images. ## </p> ##
> </desc> -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap,
> false)
> 
> ## <desc> ## <p> @@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ##
> Not required if using paravirt and no vfb. ## </p> ## </desc> 
> -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false)
> 
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xguest.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te 
> --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te    Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
>  Thu Sep  6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) 
> ## Allow xguest users to mount removable media ## </p> ## </desc> 
> -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media,
> false)
> 
> ## <desc> ## <p> ## Allow xguest to configure Network Manager ## </p> ##
> </desc> -gen_tunable(xguest_connect_network, true) 
> +gen_tunable(xguest_connect_network, false)
> 
> ## <desc> ## <p> ## Allow xguest to use blue tooth devices ## </p> ##
> </desc> -gen_tunable(xguest_use_bluetooth, true) 
> +gen_tunable(xguest_use_bluetooth, false)
> 
> role xguest_r;
> 
> diff -pru
> refpolicy-09062012-git-master/policy/modules/services/postgresql.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
> 
- --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep
> 6 10:50:18 2012 +++ 
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
> 
Thu Sep  6 10:51:57 2012
> @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL
> statement ## </p> ## </desc> -gen_tunable(sepgsql_enable_users_ddl, true) 
> +gen_tunable(sepgsql_enable_users_ddl, false)
> 
> ## <desc> ## <p> @@ -37,7 +37,7 @@
> gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to
> execute DML statement ## </p> ## </desc> 
> -gen_tunable(sepgsql_unconfined_dbadm, true) 
> +gen_tunable(sepgsql_unconfined_dbadm, false)
> 
> type postgresql_t; type postgresql_exec_t;
> 

That looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBInPMACgkQrlYvE4MpobMJrQCfY6dUKRIs/7FCJSwAuDweNkU1
9koAn25rZqW1R1Km6q9+ygRZW7Y76TvU
=lxXC
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 2/3] user access to DOS files

[Laurent Bigonville]

Le Tue,  4 Sep 2012 23:21:08 +0200,
Laurent Bigonville <bigon@debian.org> a ?crit :

> +	tunable_policy(`user_manage_dos_files',`
> +		fs_manage_dos_dirs($1_t)
> +		fs_manage_dos_files($1_t)
> +	')
> +
>  ')

I was reading the code further and isn't the proposed patch actually
redundant with user_rw_noexattrfile?

        tunable_policy(`user_rw_noexattrfile',`
                fs_manage_noxattr_fs_files($1_t)
                fs_manage_noxattr_fs_dirs($1_t)
        ',`
                fs_read_noxattr_fs_files($1_t)
        ')

So shouldn't the proposed patch simply be dropped?

Cheers

Laurent Bigonville

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 06/09/2012 16:24, Laurent Bigonville wrote:
> Le Tue,  4 Sep 2012 23:21:08 +0200,
> Laurent Bigonville <bigon@debian.org> a ?crit :
>
>> +	tunable_policy(`user_manage_dos_files',`
>> +		fs_manage_dos_dirs($1_t)
>> +		fs_manage_dos_files($1_t)
>> +	')
>> +
>>   ')
>
> I was reading the code further and isn't the proposed patch actually
> redundant with user_rw_noexattrfile?
>
>          tunable_policy(`user_rw_noexattrfile',`
>                  fs_manage_noxattr_fs_files($1_t)
>                  fs_manage_noxattr_fs_dirs($1_t)
>          ',`
>                  fs_read_noxattr_fs_files($1_t)
>          ')
>
> So shouldn't the proposed patch simply be dropped?

Fortunately, it has not been applied, I think. And if it causes problems 
and degradation of current policy, as you now recognize, why did you 
post it in the first place then ?

> Cheers
>
> Laurent Bigonville

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 06/09/2012 18:31, Guido Trentalancia wrote:
> On 06/09/2012 16:24, Laurent Bigonville wrote:
>> Le Tue,  4 Sep 2012 23:21:08 +0200,
>> Laurent Bigonville <bigon@debian.org> a ?crit :
>>
>>> +	tunable_policy(`user_manage_dos_files',`
>>> +		fs_manage_dos_dirs($1_t)
>>> +		fs_manage_dos_files($1_t)
>>> +	')
>>> +
>>>    ')
>>
>> I was reading the code further and isn't the proposed patch actually
>> redundant with user_rw_noexattrfile?
>>
>>           tunable_policy(`user_rw_noexattrfile',`
>>                   fs_manage_noxattr_fs_files($1_t)
>>                   fs_manage_noxattr_fs_dirs($1_t)
>>           ',`
>>                   fs_read_noxattr_fs_files($1_t)
>>           ')
>>
>> So shouldn't the proposed patch simply be dropped?
>
> Fortunately, it has not been applied, I think. And if it causes problems
> and degradation of current policy, as you now recognize, why did you
> post it in the first place then ?

The version above does not exclude xattr so it leads to marked security 
flaw. It also leads to another security risk as already pointed out in 
previous messages (no disabled boolean for cross-OS filesystems write).

This project goes in the opposite direction, I suppose...

[refpolicy] [PATCH 2/3] user access to DOS files

[Guido Trentalancia]

On 06/09/2012 18:31, Guido Trentalancia wrote:
> On 06/09/2012 16:24, Laurent Bigonville wrote:
>> Le Tue,  4 Sep 2012 23:21:08 +0200,
>> Laurent Bigonville <bigon@debian.org> a ?crit :
>>
>>> +	tunable_policy(`user_manage_dos_files',`
>>> +		fs_manage_dos_dirs($1_t)
>>> +		fs_manage_dos_files($1_t)
>>> +	')
>>> +
>>>    ')
>>
>> I was reading the code further and isn't the proposed patch actually
>> redundant with user_rw_noexattrfile?
>>
>>           tunable_policy(`user_rw_noexattrfile',`
>>                   fs_manage_noxattr_fs_files($1_t)
>>                   fs_manage_noxattr_fs_dirs($1_t)
>>           ',`
>>                   fs_read_noxattr_fs_files($1_t)
>>           ')
>>
>> So shouldn't the proposed patch simply be dropped?
>
> Fortunately, it has not been applied, I think. And if it causes problems
> and degradation of current policy, as you now recognize, why did you
> post it in the first place then ?

If you want to have some fun with filesystem-related things, then a very 
light supplemental patch might be needed for latest versions of the 
ntfs-3g project, as far as I remember from testing. It would need to 
have FUSE support, but optionalized (through good use of tunable policy 
which means do not allow by default the loading of fuse.ko kernel module 
and a few other related permissions that are only needed in FUSE 
supporting versions).