From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u12KdxFs032514 for ; Tue, 2 Feb 2016 15:39:59 -0500 Received: from mail-lf0-f42.google.com (mail-lf0-f42.google.com [209.85.215.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 1D2AC5613C0 for ; Tue, 2 Feb 2016 21:39:51 +0100 (CET) Received: by mail-lf0-f42.google.com with SMTP id m1so185536lfg.0 for ; Tue, 02 Feb 2016 12:39:51 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <56B0C54B.2080407@tycho.nsa.gov> References: <20160201093633.GB21978@meriadoc.perfinion.com> <56AFB25D.1070505@tycho.nsa.gov> <20160202062635.GA12699@meriadoc> <56B0C54B.2080407@tycho.nsa.gov> Date: Tue, 2 Feb 2016 21:39:50 +0100 Message-ID: Subject: Re: genhomedircon uid template From: Nicolas Iooss To: SELinux List , Jason Zaman Content-Type: multipart/alternative; boundary=001a11411980c71782052acf800d List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --001a11411980c71782052acf800d Content-Type: text/plain; charset=UTF-8 On Tue, Feb 2, 2016 at 4:03 PM, Stephen Smalley wrote: > On 02/02/2016 01:26 AM, Jason Zaman wrote: > >> On Mon, Feb 01, 2016 at 02:30:37PM -0500, Stephen Smalley wrote: >> >>> On 02/01/2016 04:36 AM, Jason Zaman wrote: >>> >>>> Hi all, >>>> >>>> XDG_RUNTIME_DIR is usually /run/user/$UID but there is no way to label >>>> that in an fcontext file. It used to be /run/user/USER which is easy but >>>> not UID. >>>> >>>> What template keyword should be used for such an entry? UID? USERID? >>>> >>>> USERID is perhaps more obvious but has to be replaced before USER but >>>> that should be doable. >>>> >>>> https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L76 >>>> >>>> UID does not conflict with USER but this line exists in refpol which >>>> is problematic: >>>> contrib/fetchmail.fc:13:/var/mail/\.fetchmail-UIDL-cache -- >>>> gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0) >>>> >>>> This could also be used for several fcontexts in kerberos. It stores the >>>> tickets in /tmp/krbcc_UID for example. >>>> >>>> If we choose a template name I can put together a patch to add it. >>>> >>> >>> No strong preferences from me on the particular name, e.g. USERID is >>> fine. I think it highlights however the problems with the current >>> approach; maybe we ought to be using ${USER} and ${UID} in .fc files >>> instead? >>> >> >> Yes there are definitely problems but fixing would mean refpol and >> probably a lot of other things would need to be updated at the same >> time. >> >> HOME_DIR and HOME_ROOT are not really problems since they are only >> allowed in the beginning of an fcontext line and other lines start with >> a /. >> >> USER, USERID, and possibly other things in future (GROUP, GROUPID?) can >> appear at any point in the the line so a more unique token might be >> better. %USERID might be better than $USERID since thats a thing in >> shells. >> >> If we do go down this path, what are the steps? and what tokens do we >> want? >> > > I think we would provide backward compatibility for the existing tokens, > at least for some time. As far as I know, we only need to modify the > refpolicy build process and libsemanage to support the new tokens. > > You need a way to mark the end of the token, either %USERID% or %{USERID}. After reading this thread, I was wondering: should a way of escaping placeholders be documented somewhere? For example, if I ever encounter a file with "%USERID" in its name, I would use "[%]USERID" in the file context pattern to give it a label. I find this quite hackish and I may have missed a better way of handling it. Where are such things usually documented? By the way, on systems running systemd, /run/user/$UID is a tmpfs mountpoint which would be relabeled by systemd-logind right after it is created (using lsetfiecon with the label defined in the policy), but a piece of code is missing to enable this on Arch Linux and Debian. I reported this on https://github.com/systemd/systemd/pull/2508 . Nicolas --001a11411980c71782052acf800d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Feb 2, 2016 at 4:03 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
On 02/02= /2016 01:26 AM, Jason Zaman wrote:
On Mon, Feb 01, 2016 at 02:30:37PM -0500, Stephen Smalley wrote:
On 02/01/2016 04:36 AM, Jason Zaman wrote:
Hi all,

XDG_RUNTIME_DIR is usually /run/user/$UID but there is no way to label
that in an fcontext file. It used to be /run/user/USER which is easy but not UID.

What template keyword should be used for such an entry? UID? USERID?

USERID is perhaps more obvious but has to be replaced before USER but
that should be doable.
https://git= hub.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#= L76

UID does not conflict with USER but this line exists in refpol which
is problematic:
contrib/fetchmail.fc:13:/var/mail/\.fetchmail-UIDL-cache -- gen_context(sys= tem_u:object_r:fetchmail_uidl_cache_t,s0)

This could also be used for several fcontexts in kerberos. It stores the tickets in /tmp/krbcc_UID for example.

If we choose a template name I can put together a patch to add it.

No strong preferences from me on the particular name, e.g. USERID is
fine.=C2=A0 I think it highlights however the problems with the current
approach; maybe we ought to be using ${USER} and ${UID} in .fc files
instead?

Yes there are definitely problems but fixing would mean refpol and
probably a lot of other things would need to be updated at the same
time.

HOME_DIR and HOME_ROOT are not really problems since they are only
allowed in the beginning of an fcontext line and other lines start with
a /.

USER, USERID, and possibly other things in future (GROUP, GROUPID?) can
appear at any point in the the line so a more unique token might be
better. %USERID might be better than $USERID since thats a thing in
shells.

If we do go down this path, what are the steps? and what tokens do we
want?

I think we would provide backward compatibility for the existing tokens, at= least for some time.=C2=A0 As far as I know, we only need to modify the re= fpolicy build process and libsemanage to support the new tokens.

You need a way to mark the end of the token, either %USERID% or %{USERID}.<= /blockquote>

After reading this thread, I was wondering:= should a way of escaping placeholders be documented somewhere?=C2=A0For ex= ample, if I ever encounter a file with "%USERID" in its name, I w= ould use "[%]USERID" in the file context pattern to give it a lab= el. I find this quite hackish and I may have missed a better way of handlin= g it. Where are such things usually documented?

By= the way, on systems running systemd,=C2=A0/run/user/$UID is a tmpfs mountpoint which would be=C2=A0relabeled=C2=A0by= systemd-logind right after it is created (using lsetfiecon with the label = defined in the policy), but a piece of code is missing to enable this on Ar= ch Linux and Debian. I reported this on=C2=A0https://github.com/systemd/systemd/pull/2508= =C2=A0.

=
Nicolas
--001a11411980c71782052acf800d--