* [refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors @ 2012-09-04 21:21 Laurent Bigonville 2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 2012-09-04 21:21 ` [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request Laurent Bigonville 0 siblings, 2 replies; 22+ messages in thread From: Laurent Bigonville @ 2012-09-04 21:21 UTC (permalink / raw) To: refpolicy From: Laurent Bigonville <bigon@bigon.be> --- policy/modules/kernel/corecommands.if | 2 +- policy/modules/kernel/filesystem.if | 2 +- policy/modules/kernel/kernel.if | 6 +++--- policy/modules/services/ssh.if | 2 +- policy/modules/system/init.if | 4 ++-- policy/modules/system/libraries.if | 4 ++-- policy/modules/system/mount.if | 2 +- policy/modules/system/unconfined.if | 4 ++-- 8 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 9e9263a..6aea26e 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -51,7 +51,7 @@ interface(`corecmd_executable_file',` ## </param> # interface(`corecmd_bin_alias',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 7c6b791..dbba365 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1790,7 +1790,7 @@ interface(`fs_manage_dos_files',` # # eventpollfs was changed to task SID 20060628 interface(`fs_read_eventpollfs',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 4bf45cb..cf7e492 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -299,7 +299,7 @@ interface(`kernel_dgram_send',` ## </param> # interface(`kernel_tcp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -313,7 +313,7 @@ interface(`kernel_tcp_recvfrom',` ## </param> # interface(`kernel_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -327,7 +327,7 @@ interface(`kernel_udp_send',` ## </param> # interface(`kernel_udp_recvfrom',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index fe0c682..057a197 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -582,7 +582,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',` ## </param> # interface(`ssh_tcp_connect',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3f0c2d3..e608e05 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -670,7 +670,7 @@ interface(`init_dontaudit_use_fds',` ## </param> # interface(`init_udp_send',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -1359,7 +1359,7 @@ interface(`init_rw_script_pipes',` ## </param> # interface(`init_udp_send_script',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if index 808ba93..b24ebed 100644 --- a/policy/modules/system/libraries.if +++ b/policy/modules/system/libraries.if @@ -503,7 +503,7 @@ interface(`libs_relabel_shared_libs',` ## </param> # interface(`lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## @@ -532,5 +532,5 @@ interface(`lib_filetrans_shared_lib',` ## </param> # interface(`files_lib_filetrans_shared_lib',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 4584457..2c7f07d 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -126,7 +126,7 @@ interface(`mount_use_fds',` ## </param> # interface(`mount_send_nfs_client_request',` - refpolicywarn(`$0($*) has been deprecated.') + refpolicyerr(`$0($*) has been deprecated.') ') ######################################## diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index db7aabb..74b171d 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -150,7 +150,7 @@ interface(`unconfined_domain',` ## </param> # interface(`unconfined_alias_domain',` - refpolicywarn(`$0($1) has been deprecated.') + refpolicyerr(`$0($1) has been deprecated.') ') ######################################## @@ -176,7 +176,7 @@ interface(`unconfined_alias_domain',` ## </param> # interface(`unconfined_execmem_alias_program',` - refpolicywarn(`$0($1) has been deprecated.') + refpolicyerr(`$0($1) has been deprecated.') ') ######################################## -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-04 21:21 [refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors Laurent Bigonville @ 2012-09-04 21:21 ` Laurent Bigonville 2012-09-04 23:45 ` Guido Trentalancia 2012-09-06 14:24 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 2012-09-04 21:21 ` [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request Laurent Bigonville 1 sibling, 2 replies; 22+ messages in thread From: Laurent Bigonville @ 2012-09-04 21:21 UTC (permalink / raw) To: refpolicy From: Mika Pfl?ger <debian@mikapflueger.de> Add a new boolean to grant users access to dosfs_t. --- policy/global_tunables | 7 +++++++ policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/policy/global_tunables b/policy/global_tunables index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow users to manage files on dosfs_t devices, usually removable media +## </p> +## </desc> +gen_tunable(user_manage_dos_files,true) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) + ') + ') ####################################### -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville @ 2012-09-04 23:45 ` Guido Trentalancia 2012-09-05 0:32 ` Russell Coker 2012-09-05 7:00 ` Dominick Grift 2012-09-06 14:24 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 1 sibling, 2 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-04 23:45 UTC (permalink / raw) To: refpolicy On 04/09/2012 23:21, Laurent Bigonville wrote: > From: Mika Pfl?ger <debian@mikapflueger.de> > > Add a new boolean to grant users access to dosfs_t. > --- > policy/global_tunables | 7 +++++++ > policy/modules/system/userdomain.if | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/policy/global_tunables b/policy/global_tunables > index 4705ab6..43cc19a 100644 > --- a/policy/global_tunables > +++ b/policy/global_tunables > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) > ## </p> > ## </desc> > gen_tunable(user_tcp_server,false) > + > +## <desc> > +## <p> > +## Allow users to manage files on dosfs_t devices, usually removable media > +## </p> > +## </desc> > +gen_tunable(user_manage_dos_files,true) In my opinion is good to have this as on option, but in a secure environment the default should be false for removable media. > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index e720dcd..0c96b65 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + tunable_policy(`user_manage_dos_files',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + > ') > > ####################################### > Regards, Guido ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-04 23:45 ` Guido Trentalancia @ 2012-09-05 0:32 ` Russell Coker 2012-09-05 8:47 ` Guido Trentalancia 2012-09-05 7:00 ` Dominick Grift 1 sibling, 1 reply; 22+ messages in thread From: Russell Coker @ 2012-09-05 0:32 UTC (permalink / raw) To: refpolicy On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote: > > +## <desc> > > +## <p> > > +## Allow users to manage files on dosfs_t devices, usually removable > > media +## </p> > > +## </desc> > > +gen_tunable(user_manage_dos_files,true) > > In my opinion is good to have this as on option, but in a secure > environment the default should be false for removable media. It's one setsebool command to make it "secure" in that regard. I think that for most systems where you really don't want users reading files on FAT filesystems you won't have the ability to even mount them (remove USB ports etc). For the majority of servers there will be no physical access by untrusted users. For the majority of desktop systems such access will be desired and it's one more potential thing for less clueful people to cite as a reason for not using SE Linux if it doesn't work by default. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-05 0:32 ` Russell Coker @ 2012-09-05 8:47 ` Guido Trentalancia 0 siblings, 0 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-05 8:47 UTC (permalink / raw) To: refpolicy On 05/09/2012 02:32, Russell Coker wrote: > On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote: >>> +## <desc> >>> +## <p> >>> +## Allow users to manage files on dosfs_t devices, usually removable >>> media +## </p> >>> +## </desc> >>> +gen_tunable(user_manage_dos_files,true) >> >> In my opinion is good to have this as on option, but in a secure >> environment the default should be false for removable media. > > It's one setsebool command to make it "secure" in that regard. I think that > for most systems where you really don't want users reading files on FAT > filesystems you won't have the ability to even mount them (remove USB ports > etc). For the majority of servers there will be no physical access by > untrusted users. For the majority of desktop systems such access will be > desired and it's one more potential thing for less clueful people to cite as a > reason for not using SE Linux if it doesn't work by default. It depends in my opinion whether most desktops are "home" and "personal" desktops or "office" desktops... I do not have such figure at hand now. But for sure, with business networks being routinely or randomly monitored, one of the major source of leaks of confidential data from companies nowadays is removable media. Best regards, Guido ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-04 23:45 ` Guido Trentalancia 2012-09-05 0:32 ` Russell Coker @ 2012-09-05 7:00 ` Dominick Grift 2012-09-05 8:41 ` Guido Trentalancia 2012-09-05 15:50 ` [refpolicy] [PATCH v2 2/3] user access to DOS filesystems Laurent Bigonville 1 sibling, 2 replies; 22+ messages in thread From: Dominick Grift @ 2012-09-05 7:00 UTC (permalink / raw) To: refpolicy On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: > On 04/09/2012 23:21, Laurent Bigonville wrote: > > From: Mika Pfl?ger <debian@mikapflueger.de> > > > > Add a new boolean to grant users access to dosfs_t. > > --- > > policy/global_tunables | 7 +++++++ > > policy/modules/system/userdomain.if | 6 ++++++ > > 2 files changed, 13 insertions(+) > > > > diff --git a/policy/global_tunables b/policy/global_tunables > > index 4705ab6..43cc19a 100644 > > --- a/policy/global_tunables > > +++ b/policy/global_tunables > > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) > > ## </p> > > ## </desc> > > gen_tunable(user_tcp_server,false) > > + > > +## <desc> > > +## <p> > > +## Allow users to manage files on dosfs_t devices, usually removable media > > +## </p> > > +## </desc> > > +gen_tunable(user_manage_dos_files,true) > > In my opinion is good to have this as on option, but in a secure > environment the default should be false for removable media. i would prefer the boolean to be fprefix userdom or userdomain instead of user, because that it the module that declares this boolean. Since the user is also allowed to manage dos dirs i would probably call it: userdomain_manage_dos_content as description i would use: "Determine whether users can manage dosfs content." > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > index e720dcd..0c96b65 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` > > # Allow making the stack executable via mprotect. > > allow $1_t self:process execstack; > > ') > > + > > + tunable_policy(`user_manage_dos_files',` > > + fs_manage_dos_dirs($1_t) > > + fs_manage_dos_files($1_t) > > + ') > > + > > ') > > > > ####################################### > > > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-05 7:00 ` Dominick Grift @ 2012-09-05 8:41 ` Guido Trentalancia 2012-09-05 13:24 ` Daniel J Walsh 2012-09-05 15:50 ` [refpolicy] [PATCH v2 2/3] user access to DOS filesystems Laurent Bigonville 1 sibling, 1 reply; 22+ messages in thread From: Guido Trentalancia @ 2012-09-05 8:41 UTC (permalink / raw) To: refpolicy On 05/09/2012 09:00, Dominick Grift wrote: > > > On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >> On 04/09/2012 23:21, Laurent Bigonville wrote: >>> From: Mika Pfl?ger <debian@mikapflueger.de> >>> >>> Add a new boolean to grant users access to dosfs_t. >>> --- >>> policy/global_tunables | 7 +++++++ >>> policy/modules/system/userdomain.if | 6 ++++++ >>> 2 files changed, 13 insertions(+) >>> >>> diff --git a/policy/global_tunables b/policy/global_tunables >>> index 4705ab6..43cc19a 100644 >>> --- a/policy/global_tunables >>> +++ b/policy/global_tunables >>> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) >>> ## </p> >>> ## </desc> >>> gen_tunable(user_tcp_server,false) >>> + >>> +## <desc> >>> +## <p> >>> +## Allow users to manage files on dosfs_t devices, usually removable media >>> +## </p> >>> +## </desc> >>> +gen_tunable(user_manage_dos_files,true) >> >> In my opinion is good to have this as on option, but in a secure >> environment the default should be false for removable media. > > i would prefer the boolean to be fprefix userdom or userdomain instead > of user, because that it the module that declares this boolean. > > Since the user is also allowed to manage dos dirs i would probably call > it: userdomain_manage_dos_content > > as description i would use: > > "Determine whether users can manage dosfs content." I agree. And, in particular it's not "dos files" which can be confusing, but dos filesystems which is already perfectioned in Dominick's amendments. >>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if >>> index e720dcd..0c96b65 100644 >>> --- a/policy/modules/system/userdomain.if >>> +++ b/policy/modules/system/userdomain.if >>> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` >>> # Allow making the stack executable via mprotect. >>> allow $1_t self:process execstack; >>> ') >>> + >>> + tunable_policy(`user_manage_dos_files',` >>> + fs_manage_dos_dirs($1_t) >>> + fs_manage_dos_files($1_t) >>> + ') >>> + >>> ') >>> >>> ####################################### ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-05 8:41 ` Guido Trentalancia @ 2012-09-05 13:24 ` Daniel J Walsh 2012-09-05 15:04 ` Guido Trentalancia 2012-09-06 11:14 ` [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) Guido Trentalancia 0 siblings, 2 replies; 22+ messages in thread From: Daniel J Walsh @ 2012-09-05 13:24 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/05/2012 04:41 AM, Guido Trentalancia wrote: > On 05/09/2012 09:00, Dominick Grift wrote: >> >> >> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >>> On 04/09/2012 23:21, Laurent Bigonville wrote: >>>> From: Mika Pfl?ger <debian@mikapflueger.de> >>>> >>>> Add a new boolean to grant users access to dosfs_t. --- >>>> policy/global_tunables | 7 +++++++ >>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13 >>>> insertions(+) >>>> >>>> diff --git a/policy/global_tunables b/policy/global_tunables index >>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ >>>> b/policy/global_tunables @@ -111,3 +111,10 @@ >>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> >>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow >>>> users to manage files on dosfs_t devices, usually removable media +## >>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true) >>> >>> In my opinion is good to have this as on option, but in a secure >>> environment the default should be false for removable media. >> >> i would prefer the boolean to be fprefix userdom or userdomain instead of >> user, because that it the module that declares this boolean. >> >> Since the user is also allowed to manage dos dirs i would probably call >> it: userdomain_manage_dos_content >> >> as description i would use: >> >> "Determine whether users can manage dosfs content." > > I agree. And, in particular it's not "dos files" which can be confusing, > but dos filesystems which is already perfectioned in Dominick's > amendments. > >>>> diff --git a/policy/modules/system/userdomain.if >>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644 >>>> --- a/policy/modules/system/userdomain.if +++ >>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ >>>> template(`userdom_base_user_template',` # Allow making the stack >>>> executable via mprotect. allow $1_t self:process execstack; ') + + >>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t) >>>> + fs_manage_dos_files($1_t) + ') + ') >>>> >>>> ####################################### > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > I think all booleans should be off by default and then the distributions can decide which booleans to turn on using the booleans.conf file. This would allow us one file to look at to see what is enabled. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBHUoMACgkQrlYvE4MpobMVPgCgwwQb/Vq1EYmSsagQNwF3iuTw SasAn0ikgSzoEUB0TO9dU4tyS4oaifNz =gc0X -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-05 13:24 ` Daniel J Walsh @ 2012-09-05 15:04 ` Guido Trentalancia 2012-09-06 11:14 ` [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) Guido Trentalancia 1 sibling, 0 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-05 15:04 UTC (permalink / raw) To: refpolicy On 05/09/2012 15:24, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/05/2012 04:41 AM, Guido Trentalancia wrote: >> On 05/09/2012 09:00, Dominick Grift wrote: >>> >>> >>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >>>> On 04/09/2012 23:21, Laurent Bigonville wrote: >>>>> From: Mika Pfl?ger <debian@mikapflueger.de> >>>>> >>>>> Add a new boolean to grant users access to dosfs_t. --- >>>>> policy/global_tunables | 7 +++++++ >>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13 >>>>> insertions(+) >>>>> >>>>> diff --git a/policy/global_tunables b/policy/global_tunables index >>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ >>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ >>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> >>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow >>>>> users to manage files on dosfs_t devices, usually removable media +## >>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true) >>>> >>>> In my opinion is good to have this as on option, but in a secure >>>> environment the default should be false for removable media. >>> >>> i would prefer the boolean to be fprefix userdom or userdomain instead of >>> user, because that it the module that declares this boolean. >>> >>> Since the user is also allowed to manage dos dirs i would probably call >>> it: userdomain_manage_dos_content >>> >>> as description i would use: >>> >>> "Determine whether users can manage dosfs content." >> >> I agree. And, in particular it's not "dos files" which can be confusing, >> but dos filesystems which is already perfectioned in Dominick's >> amendments. >> >>>>> diff --git a/policy/modules/system/userdomain.if >>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644 >>>>> --- a/policy/modules/system/userdomain.if +++ >>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ >>>>> template(`userdom_base_user_template',` # Allow making the stack >>>>> executable via mprotect. allow $1_t self:process execstack; ') + + >>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t) >>>>> + fs_manage_dos_files($1_t) + ') + ') >>>>> >>>>> ####################################### >> >> _______________________________________________ refpolicy mailing list >> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy >> > I think all booleans should be off by default and then the distributions can > decide which booleans to turn on using the booleans.conf file. This would > allow us one file to look at to see what is enabled. Yes, exactly. At least until Reference Policy decides to ship a few official example booleans.conf configuration files in a separate directory, to resemble typical situations/environments such as the one already described as "personal", "home", "office" and so on. Another possible point of failure with allowing by default filesystems for other OSes is given by the presence of multi-boot systems. On such systems, if one OS is compromised, it could in theory compromise the others too. So, in theory (and in my opinion), it's not just a matter of preventing the mount of removable media, which as Russell Coker noted can be disabled elsewhere... Regards, Guido ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) 2012-09-05 13:24 ` Daniel J Walsh 2012-09-05 15:04 ` Guido Trentalancia @ 2012-09-06 11:14 ` Guido Trentalancia 2012-09-06 12:54 ` Daniel J Walsh 1 sibling, 1 reply; 22+ messages in thread From: Guido Trentalancia @ 2012-09-06 11:14 UTC (permalink / raw) To: refpolicy Hello Daniel. Following your reflections, I have checked the current situation and I share the concerns, so I have created a patch which disables most tunable policy booleans (except network and the mcelog module as it deals amongst other things with CPU thermal events which can be related to hardware failures). On 05/09/2012 15:24, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/05/2012 04:41 AM, Guido Trentalancia wrote: >> On 05/09/2012 09:00, Dominick Grift wrote: >>> >>> >>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >>>> On 04/09/2012 23:21, Laurent Bigonville wrote: >>>>> From: Mika Pfl?ger <debian@mikapflueger.de> >>>>> >>>>> Add a new boolean to grant users access to dosfs_t. --- >>>>> policy/global_tunables | 7 +++++++ >>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13 >>>>> insertions(+) >>>>> >>>>> diff --git a/policy/global_tunables b/policy/global_tunables index >>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ >>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ >>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> >>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow >>>>> users to manage files on dosfs_t devices, usually removable media +## >>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true) >>>> >>>> In my opinion is good to have this as on option, but in a secure >>>> environment the default should be false for removable media. >>> >>> i would prefer the boolean to be fprefix userdom or userdomain instead of >>> user, because that it the module that declares this boolean. >>> >>> Since the user is also allowed to manage dos dirs i would probably call >>> it: userdomain_manage_dos_content >>> >>> as description i would use: >>> >>> "Determine whether users can manage dosfs content." >> >> I agree. And, in particular it's not "dos files" which can be confusing, >> but dos filesystems which is already perfectioned in Dominick's >> amendments. >> >>>>> diff --git a/policy/modules/system/userdomain.if >>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644 >>>>> --- a/policy/modules/system/userdomain.if +++ >>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ >>>>> template(`userdom_base_user_template',` # Allow making the stack >>>>> executable via mprotect. allow $1_t self:process execstack; ') + + >>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t) >>>>> + fs_manage_dos_files($1_t) + ') + ') >>>>> >>>>> ####################################### >> >> _______________________________________________ refpolicy mailing list >> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy >> > I think all booleans should be off by default and then the distributions can > decide which booleans to turn on using the booleans.conf file. This would > allow us one file to look at to see what is enabled. Turn off all/most tunable policy booleans by default in Reference Policy (except network). They can be enabled on a per-distribution basis and many of those that were enabled were somehow risky as defaults. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te Thu Sep 6 10:56:21 2012 @@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true) ## print out usage and version information. ## </p> ## </desc> -gen_tunable(mcelog_foreground, true) +gen_tunable(mcelog_foreground, false) ## <desc> ## <p> @@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ## syslog option. ## </p> ## </desc> -gen_tunable(mcelog_syslog, true) +gen_tunable(mcelog_syslog, false) type mcelog_t; type mcelog_exec_t; diff -pru refpolicy-09062012-git-master/policy/modules/contrib/qemu.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te --- refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te Thu Sep 6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false) ## Allow qemu to use cifs/Samba file systems ## </p> ## </desc> -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false) ## <desc> ## <p> @@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ## Allow qemu to use nfs file systems ## </p> ## </desc> -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false) ## <desc> ## <p> ## Allow qemu to use usb devices ## </p> ## </desc> -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false) type qemu_exec_t; virt_domain_template(qemu) diff -pru refpolicy-09062012-git-master/policy/modules/contrib/rpc.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te --- refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu Sep 6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow gssd to read temp directory. For access to kerberos tgt. ## </p> ## </desc> -gen_tunable(allow_gssd_read_tmp, true) +gen_tunable(allow_gssd_read_tmp, false) ## <desc> ## <p> diff -pru refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te Thu Sep 6 10:54:20 2012 @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd to read/write user home directories. ## </p> ## </desc> -gen_tunable(spamd_enable_home_dirs, true) +gen_tunable(spamd_enable_home_dirs, false) type spamassassin_t; type spamassassin_exec_t; diff -pru refpolicy-09062012-git-master/policy/modules/contrib/virt.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te --- refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te Thu Sep 6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false) ## Allow virt to use usb devices ## </p> ## </desc> -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false) virt_domain_template(svirt) role system_r types svirt_t; diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xen.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te --- refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu Sep 6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not required if using dedicated logical volumes for disk images. ## </p> ## </desc> -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap, false) ## <desc> ## <p> @@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ## Not required if using paravirt and no vfb. ## </p> ## </desc> -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false) ## <desc> ## <p> diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xguest.te refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu Aug 23 19:23:00 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te Thu Sep 6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) ## Allow xguest users to mount removable media ## </p> ## </desc> -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media, false) ## <desc> ## <p> ## Allow xguest to configure Network Manager ## </p> ## </desc> -gen_tunable(xguest_connect_network, true) +gen_tunable(xguest_connect_network, false) ## <desc> ## <p> ## Allow xguest to use blue tooth devices ## </p> ## </desc> -gen_tunable(xguest_use_bluetooth, true) +gen_tunable(xguest_use_bluetooth, false) role xguest_r; diff -pru refpolicy-09062012-git-master/policy/modules/services/postgresql.te refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep 6 10:50:18 2012 +++ refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te Thu Sep 6 10:51:57 2012 @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL statement ## </p> ## </desc> -gen_tunable(sepgsql_enable_users_ddl, true) +gen_tunable(sepgsql_enable_users_ddl, false) ## <desc> ## <p> @@ -37,7 +37,7 @@ gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to execute DML statement ## </p> ## </desc> -gen_tunable(sepgsql_unconfined_dbadm, true) +gen_tunable(sepgsql_unconfined_dbadm, false) type postgresql_t; type postgresql_exec_t; ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) 2012-09-06 11:14 ` [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) Guido Trentalancia @ 2012-09-06 12:54 ` Daniel J Walsh 0 siblings, 0 replies; 22+ messages in thread From: Daniel J Walsh @ 2012-09-06 12:54 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 07:14 AM, Guido Trentalancia wrote: > Hello Daniel. > > Following your reflections, I have checked the current situation and I > share the concerns, so I have created a patch which disables most tunable > policy booleans (except network and the mcelog module as it deals amongst > other things with CPU thermal events which can be related to hardware > failures). > > On 05/09/2012 15:24, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 09/05/2012 04:41 AM, Guido Trentalancia wrote: >>> On 05/09/2012 09:00, Dominick Grift wrote: >>>> >>>> >>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >>>>> On 04/09/2012 23:21, Laurent Bigonville wrote: >>>>>> From: Mika Pfl?ger <debian@mikapflueger.de> >>>>>> >>>>>> Add a new boolean to grant users access to dosfs_t. --- >>>>>> policy/global_tunables | 7 +++++++ >>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files >>>>>> changed, 13 insertions(+) >>>>>> >>>>>> diff --git a/policy/global_tunables b/policy/global_tunables >>>>>> index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ >>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ >>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> >>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## >>>>>> Allow users to manage files on dosfs_t devices, usually removable >>>>>> media +## </p> +## </desc> >>>>>> +gen_tunable(user_manage_dos_files,true) >>>>> >>>>> In my opinion is good to have this as on option, but in a secure >>>>> environment the default should be false for removable media. >>>> >>>> i would prefer the boolean to be fprefix userdom or userdomain >>>> instead of user, because that it the module that declares this >>>> boolean. >>>> >>>> Since the user is also allowed to manage dos dirs i would probably >>>> call it: userdomain_manage_dos_content >>>> >>>> as description i would use: >>>> >>>> "Determine whether users can manage dosfs content." >>> >>> I agree. And, in particular it's not "dos files" which can be >>> confusing, but dos filesystems which is already perfectioned in >>> Dominick's amendments. >>> >>>>>> diff --git a/policy/modules/system/userdomain.if >>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 >>>>>> 100644 --- a/policy/modules/system/userdomain.if +++ >>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ >>>>>> template(`userdom_base_user_template',` # Allow making the stack >>>>>> executable via mprotect. allow $1_t self:process execstack; ') + >>>>>> + tunable_policy(`user_manage_dos_files',` + >>>>>> fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) + >>>>>> ') + ') >>>>>> >>>>>> ####################################### >>> >>> _______________________________________________ refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> I think all booleans should be off by default and then the distributions >> can decide which booleans to turn on using the booleans.conf file. This >> would allow us one file to look at to see what is enabled. > > Turn off all/most tunable policy booleans by default in Reference Policy > (except network). > > They can be enabled on a per-distribution basis and many of those that were > enabled were somehow risky as defaults. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- > > diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te > --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te > Thu Sep 6 10:56:21 2012 @@ -30,7 +30,7 @@ > gen_tunable(mcelog_exec_scripts, true) ## print out usage and version > information. ## </p> ## </desc> -gen_tunable(mcelog_foreground, true) > +gen_tunable(mcelog_foreground, false) > > ## <desc> ## <p> @@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ## > syslog option. ## </p> ## </desc> -gen_tunable(mcelog_syslog, true) > +gen_tunable(mcelog_syslog, false) > > type mcelog_t; type mcelog_exec_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/qemu.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te --- > refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te > Thu Sep 6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, > false) ## Allow qemu to use cifs/Samba file systems ## </p> ## </desc> > -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false) > > ## <desc> ## <p> @@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ## > Allow qemu to use nfs file systems ## </p> ## </desc> > -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false) > > ## <desc> ## <p> ## Allow qemu to use usb devices ## </p> ## </desc> > -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false) > > type qemu_exec_t; virt_domain_template(qemu) diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/rpc.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te --- > refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu > Sep 6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow > gssd to read temp directory. For access to kerberos tgt. ## </p> ## > </desc> -gen_tunable(allow_gssd_read_tmp, true) > +gen_tunable(allow_gssd_read_tmp, false) > > ## <desc> ## <p> diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te > > - --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te > > Thu Sep 6 10:54:20 2012 > @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd > to read/write user home directories. ## </p> ## </desc> > -gen_tunable(spamd_enable_home_dirs, true) > +gen_tunable(spamd_enable_home_dirs, false) > > type spamassassin_t; type spamassassin_exec_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/virt.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te --- > refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te > Thu Sep 6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, > false) ## Allow virt to use usb devices ## </p> ## </desc> > -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false) > > virt_domain_template(svirt) role system_r types svirt_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/xen.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te --- > refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu > Sep 6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not > required if using dedicated logical volumes for disk images. ## </p> ## > </desc> -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap, > false) > > ## <desc> ## <p> @@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ## > Not required if using paravirt and no vfb. ## </p> ## </desc> > -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false) > > ## <desc> ## <p> diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/xguest.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te > --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te > Thu Sep 6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) > ## Allow xguest users to mount removable media ## </p> ## </desc> > -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media, > false) > > ## <desc> ## <p> ## Allow xguest to configure Network Manager ## </p> ## > </desc> -gen_tunable(xguest_connect_network, true) > +gen_tunable(xguest_connect_network, false) > > ## <desc> ## <p> ## Allow xguest to use blue tooth devices ## </p> ## > </desc> -gen_tunable(xguest_use_bluetooth, true) > +gen_tunable(xguest_use_bluetooth, false) > > role xguest_r; > > diff -pru > refpolicy-09062012-git-master/policy/modules/services/postgresql.te > refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te > > - --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep > 6 10:50:18 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te > > Thu Sep 6 10:51:57 2012 > @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL > statement ## </p> ## </desc> -gen_tunable(sepgsql_enable_users_ddl, true) > +gen_tunable(sepgsql_enable_users_ddl, false) > > ## <desc> ## <p> @@ -37,7 +37,7 @@ > gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to > execute DML statement ## </p> ## </desc> > -gen_tunable(sepgsql_unconfined_dbadm, true) > +gen_tunable(sepgsql_unconfined_dbadm, false) > > type postgresql_t; type postgresql_exec_t; > That looks good to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBInPMACgkQrlYvE4MpobMJrQCfY6dUKRIs/7FCJSwAuDweNkU1 9koAn25rZqW1R1Km6q9+ygRZW7Y76TvU =lxXC -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v2 2/3] user access to DOS filesystems 2012-09-05 7:00 ` Dominick Grift 2012-09-05 8:41 ` Guido Trentalancia @ 2012-09-05 15:50 ` Laurent Bigonville 2012-09-05 17:58 ` Christopher J. PeBenito 1 sibling, 1 reply; 22+ messages in thread From: Laurent Bigonville @ 2012-09-05 15:50 UTC (permalink / raw) To: refpolicy From: Mika Pfl?ger <debian@mikapflueger.de> Add a new boolean to grant users access to dosfs_t. --- policy/global_tunables | 7 +++++++ policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/policy/global_tunables b/policy/global_tunables index 4705ab6..092df0b 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Determine whether users can manage dosfs content. +## </p> +## </desc> +gen_tunable(userdomain_manage_dos_content,false) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e720dcd..949c738 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') + + tunable_policy(`userdomain_manage_dos_content',` + fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) + ') + ') ####################################### -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH v2 2/3] user access to DOS filesystems 2012-09-05 15:50 ` [refpolicy] [PATCH v2 2/3] user access to DOS filesystems Laurent Bigonville @ 2012-09-05 17:58 ` Christopher J. PeBenito 0 siblings, 0 replies; 22+ messages in thread From: Christopher J. PeBenito @ 2012-09-05 17:58 UTC (permalink / raw) To: refpolicy On 09/05/12 11:50, Laurent Bigonville wrote: > From: Mika Pfl??ger <debian@mikapflueger.de> > > Add a new boolean to grant users access to dosfs_t. > --- > policy/global_tunables | 7 +++++++ > policy/modules/system/userdomain.if | 6 ++++++ > 2 files changed, 13 insertions(+) > > diff --git a/policy/global_tunables b/policy/global_tunables > index 4705ab6..092df0b 100644 > --- a/policy/global_tunables > +++ b/policy/global_tunables > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false) > ## </p> > ## </desc> > gen_tunable(user_tcp_server,false) > + > +## <desc> > +## <p> > +## Determine whether users can manage dosfs content. > +## </p> > +## </desc> > +gen_tunable(userdomain_manage_dos_content,false) This should be moved to the userdomain module, as its effect is only in that module. Global tunables should only be used if the tunable is used in multiple modules. > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index e720dcd..949c738 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',` > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + tunable_policy(`userdomain_manage_dos_content',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + This is too low level of a template for this access. It should be moved to a higher level template such as userdom_common_user_template. userdom_base_user_template is supposed to define the most minimal user. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 2012-09-04 23:45 ` Guido Trentalancia @ 2012-09-06 14:24 ` Laurent Bigonville 2012-09-06 16:31 ` Guido Trentalancia 1 sibling, 1 reply; 22+ messages in thread From: Laurent Bigonville @ 2012-09-06 14:24 UTC (permalink / raw) To: refpolicy Le Tue, 4 Sep 2012 23:21:08 +0200, Laurent Bigonville <bigon@debian.org> a ?crit : > + tunable_policy(`user_manage_dos_files',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + > ') I was reading the code further and isn't the proposed patch actually redundant with user_rw_noexattrfile? tunable_policy(`user_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) ',` fs_read_noxattr_fs_files($1_t) ') So shouldn't the proposed patch simply be dropped? Cheers Laurent Bigonville ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-06 14:24 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville @ 2012-09-06 16:31 ` Guido Trentalancia 2012-09-06 16:39 ` Guido Trentalancia 2012-09-06 17:05 ` Guido Trentalancia 0 siblings, 2 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-06 16:31 UTC (permalink / raw) To: refpolicy On 06/09/2012 16:24, Laurent Bigonville wrote: > Le Tue, 4 Sep 2012 23:21:08 +0200, > Laurent Bigonville <bigon@debian.org> a ?crit : > >> + tunable_policy(`user_manage_dos_files',` >> + fs_manage_dos_dirs($1_t) >> + fs_manage_dos_files($1_t) >> + ') >> + >> ') > > I was reading the code further and isn't the proposed patch actually > redundant with user_rw_noexattrfile? > > tunable_policy(`user_rw_noexattrfile',` > fs_manage_noxattr_fs_files($1_t) > fs_manage_noxattr_fs_dirs($1_t) > ',` > fs_read_noxattr_fs_files($1_t) > ') > > So shouldn't the proposed patch simply be dropped? Fortunately, it has not been applied, I think. And if it causes problems and degradation of current policy, as you now recognize, why did you post it in the first place then ? > Cheers > > Laurent Bigonville ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-06 16:31 ` Guido Trentalancia @ 2012-09-06 16:39 ` Guido Trentalancia 2012-09-06 17:05 ` Guido Trentalancia 1 sibling, 0 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-06 16:39 UTC (permalink / raw) To: refpolicy On 06/09/2012 18:31, Guido Trentalancia wrote: > On 06/09/2012 16:24, Laurent Bigonville wrote: >> Le Tue, 4 Sep 2012 23:21:08 +0200, >> Laurent Bigonville <bigon@debian.org> a ?crit : >> >>> + tunable_policy(`user_manage_dos_files',` >>> + fs_manage_dos_dirs($1_t) >>> + fs_manage_dos_files($1_t) >>> + ') >>> + >>> ') >> >> I was reading the code further and isn't the proposed patch actually >> redundant with user_rw_noexattrfile? >> >> tunable_policy(`user_rw_noexattrfile',` >> fs_manage_noxattr_fs_files($1_t) >> fs_manage_noxattr_fs_dirs($1_t) >> ',` >> fs_read_noxattr_fs_files($1_t) >> ') >> >> So shouldn't the proposed patch simply be dropped? > > Fortunately, it has not been applied, I think. And if it causes problems > and degradation of current policy, as you now recognize, why did you > post it in the first place then ? The version above does not exclude xattr so it leads to marked security flaw. It also leads to another security risk as already pointed out in previous messages (no disabled boolean for cross-OS filesystems write). This project goes in the opposite direction, I suppose... ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 2/3] user access to DOS files 2012-09-06 16:31 ` Guido Trentalancia 2012-09-06 16:39 ` Guido Trentalancia @ 2012-09-06 17:05 ` Guido Trentalancia 1 sibling, 0 replies; 22+ messages in thread From: Guido Trentalancia @ 2012-09-06 17:05 UTC (permalink / raw) To: refpolicy On 06/09/2012 18:31, Guido Trentalancia wrote: > On 06/09/2012 16:24, Laurent Bigonville wrote: >> Le Tue, 4 Sep 2012 23:21:08 +0200, >> Laurent Bigonville <bigon@debian.org> a ?crit : >> >>> + tunable_policy(`user_manage_dos_files',` >>> + fs_manage_dos_dirs($1_t) >>> + fs_manage_dos_files($1_t) >>> + ') >>> + >>> ') >> >> I was reading the code further and isn't the proposed patch actually >> redundant with user_rw_noexattrfile? >> >> tunable_policy(`user_rw_noexattrfile',` >> fs_manage_noxattr_fs_files($1_t) >> fs_manage_noxattr_fs_dirs($1_t) >> ',` >> fs_read_noxattr_fs_files($1_t) >> ') >> >> So shouldn't the proposed patch simply be dropped? > > Fortunately, it has not been applied, I think. And if it causes problems > and degradation of current policy, as you now recognize, why did you > post it in the first place then ? If you want to have some fun with filesystem-related things, then a very light supplemental patch might be needed for latest versions of the ntfs-3g project, as far as I remember from testing. It would need to have FUSE support, but optionalized (through good use of tunable policy which means do not allow by default the loading of fuse.ko kernel module and a few other related permissions that are only needed in FUSE supporting versions). ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request 2012-09-04 21:21 [refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors Laurent Bigonville 2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville @ 2012-09-04 21:21 ` Laurent Bigonville 2012-09-04 22:57 ` Guido Trentalancia 1 sibling, 1 reply; 22+ messages in thread From: Laurent Bigonville @ 2012-09-04 21:21 UTC (permalink / raw) To: refpolicy From: Mika Pfl?ger <debian@mikapflueger.de> --- policy/modules/system/iptables.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 0646ee7..6f2fb69 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t) # Iptables local policy # +kernel_request_load_module(iptables_t) allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:fifo_file rw_fifo_file_perms; -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request 2012-09-04 21:21 ` [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request Laurent Bigonville @ 2012-09-04 22:57 ` Guido Trentalancia 2012-09-05 0:30 ` Russell Coker 0 siblings, 1 reply; 22+ messages in thread From: Guido Trentalancia @ 2012-09-04 22:57 UTC (permalink / raw) To: refpolicy On 04/09/2012 23:21, Laurent Bigonville wrote: > From: Mika Pfl?ger <debian@mikapflueger.de> > > --- > policy/modules/system/iptables.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te > index 0646ee7..6f2fb69 100644 > --- a/policy/modules/system/iptables.te > +++ b/policy/modules/system/iptables.te > @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t) > # Iptables local policy > # > > +kernel_request_load_module(iptables_t) > allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; > dontaudit iptables_t self:capability sys_tty_config; > allow iptables_t self:fifo_file rw_fifo_file_perms; Is this for IPv6 ? It was not recommended in NSA security guidelines. Has this now been changed ? If not, then perhaps it can be enclosed in tunable policy ? Regards, Guido ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request 2012-09-04 22:57 ` Guido Trentalancia @ 2012-09-05 0:30 ` Russell Coker 2012-09-05 8:48 ` Guido Trentalancia 0 siblings, 1 reply; 22+ messages in thread From: Russell Coker @ 2012-09-05 0:30 UTC (permalink / raw) To: refpolicy On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote: > > +kernel_request_load_module(iptables_t) > > > > allow iptables_t self:capability { dac_read_search dac_override > >net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; > > allow iptables_t self:fifo_file rw_fifo_file_perms; > > Is this for IPv6 ? It was not recommended in NSA security guidelines. > Has this now been changed ? If not, then perhaps it can be enclosed in > tunable policy ? No, it happened on systems that didn't use any ip6tables commands. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request 2012-09-05 0:30 ` Russell Coker @ 2012-09-05 8:48 ` Guido Trentalancia 2012-09-05 9:23 ` Laurent Bigonville 0 siblings, 1 reply; 22+ messages in thread From: Guido Trentalancia @ 2012-09-05 8:48 UTC (permalink / raw) To: refpolicy On 05/09/2012 02:30, Russell Coker wrote: > On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote: >>> +kernel_request_load_module(iptables_t) >>> >>> allow iptables_t self:capability { dac_read_search dac_override >>> net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; >>> allow iptables_t self:fifo_file rw_fifo_file_perms; >> >> Is this for IPv6 ? It was not recommended in NSA security guidelines. >> Has this now been changed ? If not, then perhaps it can be enclosed in >> tunable policy ? > > No, it happened on systems that didn't use any ip6tables commands. So, what is the module that it needs to load ? Guido ^ permalink raw reply [flat|nested] 22+ messages in thread
* [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request 2012-09-05 8:48 ` Guido Trentalancia @ 2012-09-05 9:23 ` Laurent Bigonville 0 siblings, 0 replies; 22+ messages in thread From: Laurent Bigonville @ 2012-09-05 9:23 UTC (permalink / raw) To: refpolicy Le Wed, 05 Sep 2012 10:48:44 +0200, Guido Trentalancia <guido@trentalancia.com> a ?crit : > On 05/09/2012 02:30, Russell Coker wrote: > > On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> > > wrote: > >>> +kernel_request_load_module(iptables_t) > >>> > >>> allow iptables_t self:capability { dac_read_search dac_override > >>> net_admin net_raw }; dontaudit iptables_t self:capability > >>> sys_tty_config; allow iptables_t self:fifo_file > >>> rw_fifo_file_perms; > >> > >> Is this for IPv6 ? It was not recommended in NSA security > >> guidelines. Has this now been changed ? If not, then perhaps it > >> can be enclosed in tunable policy ? > > > > No, it happened on systems that didn't use any ip6tables commands. > > So, what is the module that it needs to load ? On my debian machine, running "iptables -vL" is automatically loading iptable_filter, ip_tables, x_tables. But anyway, it seems that iptables.te file on git master is already containing that line (from 2009) a bit later in the code, so I guess that patch can just be dropped. Sorry for the noise, Cheers Laurent Bigonville ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2012-09-06 17:05 UTC | newest] Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-09-04 21:21 [refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors Laurent Bigonville 2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 2012-09-04 23:45 ` Guido Trentalancia 2012-09-05 0:32 ` Russell Coker 2012-09-05 8:47 ` Guido Trentalancia 2012-09-05 7:00 ` Dominick Grift 2012-09-05 8:41 ` Guido Trentalancia 2012-09-05 13:24 ` Daniel J Walsh 2012-09-05 15:04 ` Guido Trentalancia 2012-09-06 11:14 ` [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) Guido Trentalancia 2012-09-06 12:54 ` Daniel J Walsh 2012-09-05 15:50 ` [refpolicy] [PATCH v2 2/3] user access to DOS filesystems Laurent Bigonville 2012-09-05 17:58 ` Christopher J. PeBenito 2012-09-06 14:24 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville 2012-09-06 16:31 ` Guido Trentalancia 2012-09-06 16:39 ` Guido Trentalancia 2012-09-06 17:05 ` Guido Trentalancia 2012-09-04 21:21 ` [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request Laurent Bigonville 2012-09-04 22:57 ` Guido Trentalancia 2012-09-05 0:30 ` Russell Coker 2012-09-05 8:48 ` Guido Trentalancia 2012-09-05 9:23 ` Laurent Bigonville
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.