All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Joshua Brindle <brindle@quarksecurity.com>,
	Stephen Smalley <sds@tycho.nsa.gov>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: [PATCH v2 0/3] Add support for extracting modules
Date: Fri, 7 Aug 2015 11:39:13 -0400	[thread overview]
Message-ID: <55C4D121.9010001@tresys.com> (raw)
In-Reply-To: <55C4B482.5050208@quarksecurity.com>

On 8/7/2015 9:37 AM, Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
>>> Will you provide a patch to the reference policy to allow semanage_t
>>> to write into all kinds of directories?
>>>
>>> I personally see little value in this patch, as everything is readily
>>> accessible on the file system. Users who want to extract policies with
>>> semodule will now encounter policy issues where semanage_t is not
>>> allowed to write into the current working directory (depending where
>>> the user is at):
>>
>> Directly accessing files under /var/lib/selinux is not very
>> user-friendly or maintainable, as how the files are arranged and stored
>> is an implementation detail of libsemanage.
>>
> 
> Agreed, policy could (and maybe should) completely prevent users from
> messing around there, lest they corrupt something.

This is generally enforced in refpolicy, though a couple privileged
domains (eg package managers) can access it.

>> The change allows users a new workflow in which they can readily extract
>> a module (whether locally created or distro-provided), modify it, and
>> then re-install it (and automatically have their modified version
>> installed at higher priority, and thereby not clobber the
>> distro-provided one or be clobbered by subsequent policy updates.
>>
>> semanage is already given userdom_read_user_home_content_files() and
>> userdom_read_user_tmp_files() in order to support semodule -i from
>> either of those locations, so broadening that to userdom_manage doesn't
>> seem too onerous.
>>
>> Also, the situation doesn't seem terribly different from the already
>> existing semanage export facility, which takes a -f output_file option.
>>
> 
> Alternatively the module could always be output to stdout and then
> piping it to a file would use the users (or shells) domain rather than
> semanage_t.
>
> There is definitely an integrity violation with having such a privileged
> program read from user directories but I suppose that ship has sailed.

It's a side effect of the UBAC implementation, as all the users have the
same types for their home directory contents, but with different seusers.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

  parent reply	other threads:[~2015-08-07 15:39 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-06 14:30 [PATCH v2 0/3] Add support for extracting modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 1/3] libsemanage: Add ability to extract modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 2/3] libsemanage: Fix null pointer dereference in semanage_module_key_destroy Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 3/3] policycoreutils/semodule: update semodule to allow extracting modules Yuli Khodorkovskiy
2015-08-06 15:04 ` [PATCH v2 0/3] Add support for " James Carter
2015-08-07  8:09 ` Sven Vermeulen
2015-08-07 13:28   ` Stephen Smalley
2015-08-07 13:37     ` Joshua Brindle
2015-08-07 14:14       ` Dominick Grift
2015-08-07 15:39       ` Christopher J. PeBenito [this message]
2015-08-07 13:47   ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55C4D121.9010001@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=brindle@quarksecurity.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.