* [refpolicy] [PATCH] Allow sysadm to map all non auth files
@ 2017-09-12 2:41 Luis Ressel
2017-09-12 22:53 ` Chris PeBenito
2017-09-13 22:30 ` Chris PeBenito
0 siblings, 2 replies; 5+ messages in thread
From: Luis Ressel @ 2017-09-12 2:41 UTC (permalink / raw)
To: refpolicy
From: Jason Zaman <jason@perfinion.com>
The idea and code are from perfinion. I support it, but we should
probably discuss it.
---
policy/modules/kernel/files.if | 20 ++++++++++++++++++++
policy/modules/system/userdomain.if | 1 +
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b4803770e..42de367d7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
files_manage_kernel_modules($1)
')
+########################################
+## <summary>
+## Mmap non-authentication related
+## files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_map_non_auth_files',`
+ gen_require(`
+ attribute non_auth_file_type;
+ ')
+
+ allow $1 non_auth_file_type:file map;
+')
+
########################################
## <summary>
## Relabel all non-authentication related
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 849f9b6a7..e4d4ca33d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_auth_files($1_t)
+ files_map_non_auth_files($1_t)
# Relabel almost all files
files_relabel_non_auth_files($1_t)
--
2.14.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Allow sysadm to map all non auth files
2017-09-12 2:41 [refpolicy] [PATCH] Allow sysadm to map all non auth files Luis Ressel
@ 2017-09-12 22:53 ` Chris PeBenito
2017-09-13 3:05 ` Luis Ressel
2017-09-13 22:30 ` Chris PeBenito
1 sibling, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2017-09-12 22:53 UTC (permalink / raw)
To: refpolicy
On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> From: Jason Zaman <jason@perfinion.com>
>
> The idea and code are from perfinion. I support it, but we should
> probably discuss it.
What's the rationale? Just because sysadmin has all the other access?
> ---
> policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> policy/modules/system/userdomain.if | 1 +
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index b4803770e..42de367d7 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
> files_manage_kernel_modules($1)
> ')
>
> +########################################
> +## <summary>
> +## Mmap non-authentication related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_map_non_auth_files',`
> + gen_require(`
> + attribute non_auth_file_type;
> + ')
> +
> + allow $1 non_auth_file_type:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Relabel all non-authentication related
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 849f9b6a7..e4d4ca33d 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
> auth_getattr_shadow($1_t)
> # Manage almost all files
> files_manage_non_auth_files($1_t)
> + files_map_non_auth_files($1_t)
> # Relabel almost all files
> files_relabel_non_auth_files($1_t)
>
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Allow sysadm to map all non auth files
2017-09-12 22:53 ` Chris PeBenito
@ 2017-09-13 3:05 ` Luis Ressel
2017-09-13 22:32 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Luis Ressel @ 2017-09-13 3:05 UTC (permalink / raw)
To: refpolicy
On Tue, 12 Sep 2017 18:53:48 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
> On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> > From: Jason Zaman <jason@perfinion.com>
> >
> > The idea and code are from perfinion. I support it, but we should
> > probably discuss it.
>
> What's the rationale? Just because sysadmin has all the other access?
>
That, and because mmap()ing a file is a perfectly fine thing to do that
various applications are bound to attempt. We cannot possibly add
special rules for every tool an admin may attempt to run in the
sysadm_t domain. For example, my machines have git repos all over the
place which I can no longer use without the map permission, and the grep
replacement I'm using tries to mmap(), too. (It's nonfatal in the
latter case, but the error messages and denials are annoying.)
Considering how sysadm_t has full access to all non-auth files anyway,
the only scenario that the lack of the map permission is protecting us
from is when a non-auth file is suddently relabeled to an auth type.
Are we really worried enough about such a corner case that we're
willing to place a substantial restriction on sysadm_t?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/c6e11abb/attachment.bin
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Allow sysadm to map all non auth files
2017-09-12 2:41 [refpolicy] [PATCH] Allow sysadm to map all non auth files Luis Ressel
2017-09-12 22:53 ` Chris PeBenito
@ 2017-09-13 22:30 ` Chris PeBenito
1 sibling, 0 replies; 5+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:30 UTC (permalink / raw)
To: refpolicy
On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
> From: Jason Zaman <jason@perfinion.com>
>
> The idea and code are from perfinion. I support it, but we should
> probably discuss it.
> ---
> policy/modules/kernel/files.if | 20 ++++++++++++++++++++
> policy/modules/system/userdomain.if | 1 +
> 2 files changed, 21 insertions(+)
>
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index b4803770e..42de367d7 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',`
> files_manage_kernel_modules($1)
> ')
>
> +########################################
> +## <summary>
> +## Mmap non-authentication related
> +## files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`files_map_non_auth_files',`
> + gen_require(`
> + attribute non_auth_file_type;
> + ')
> +
> + allow $1 non_auth_file_type:file map;
> +')
> +
> ########################################
> ## <summary>
> ## Relabel all non-authentication related
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 849f9b6a7..e4d4ca33d 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',`
> auth_getattr_shadow($1_t)
> # Manage almost all files
> files_manage_non_auth_files($1_t)
> + files_map_non_auth_files($1_t)
> # Relabel almost all files
> files_relabel_non_auth_files($1_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH] Allow sysadm to map all non auth files
2017-09-13 3:05 ` Luis Ressel
@ 2017-09-13 22:32 ` Chris PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Chris PeBenito @ 2017-09-13 22:32 UTC (permalink / raw)
To: refpolicy
On 09/12/2017 11:05 PM, Luis Ressel wrote:
> On Tue, 12 Sep 2017 18:53:48 -0400
> Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:
>
>> On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote:
>>> From: Jason Zaman <jason@perfinion.com>
>>>
>>> The idea and code are from perfinion. I support it, but we should
>>> probably discuss it.
>>
>> What's the rationale? Just because sysadmin has all the other access?
>>
>
> That, and because mmap()ing a file is a perfectly fine thing to do that
> various applications are bound to attempt. We cannot possibly add
> special rules for every tool an admin may attempt to run in the
> sysadm_t domain. For example, my machines have git repos all over the
> place which I can no longer use without the map permission, and the grep
> replacement I'm using tries to mmap(), too. (It's nonfatal in the
> latter case, but the error messages and denials are annoying.)
>
> Considering how sysadm_t has full access to all non-auth files anyway,
> the only scenario that the lack of the map permission is protecting us
> from is when a non-auth file is suddently relabeled to an auth type.
> Are we really worried enough about such a corner case that we're
> willing to place a substantial restriction on sysadm_t?
I only wanted to understand the rationale, in case there was some other
detail that needed further consideration.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2017-09-13 22:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-12 2:41 [refpolicy] [PATCH] Allow sysadm to map all non auth files Luis Ressel
2017-09-12 22:53 ` Chris PeBenito
2017-09-13 3:05 ` Luis Ressel
2017-09-13 22:32 ` Chris PeBenito
2017-09-13 22:30 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.