selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges
Date: Fri, 6 Apr 2018 14:18:39 -0400	[thread overview]
Message-ID: <465b9b93-5260-7047-1eeb-685f26d7728e@ieee.org> (raw)
In-Reply-To: <f6dc7642-6c06-b55d-420e-8eaa7ba92e85@ieee.org>

On 03/27/2018 07:10 PM, Chris PeBenito via refpolicy wrote:
> On 03/25/2018 07:56 AM, Sven Vermeulen via refpolicy wrote:
>> This is the patchset which introduces a more granular approach to user
>> resources (files, directories) in the users' home directory. The patchset
>> is based on the freedesktop.org base directory specification, known as the
>> XDG Base Directory Specification, documented at the following URL:
>>
>> https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
>>
>> The patchset is based heavily on Gentoo's current implementation, which has
>> been active since 2011, but has been extended with some of the additional
>> work done by Guido Trentalancia who independently worked on a similar setup.
>>
>> The main purpose is to limit application access to user resources. Browsers
>> definitely, but other domains too are often tricked into leaking end user
>> data (be it personal data or sensitive configuration data), or even
>> manipulated to modify such data.
> 
> I'm willing to merge the entire patch set (this and the contrib one),
> but will wait a few days for comment, since the set is so large.

I was doing some final checks before merging, and I ran into several 
duplicate and one conflicting type transitions (I'm using git 
checkpolicy).  I had to make the following changes (locally for now) to 
fix them.  Did you run into this issue?


diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index d07d9df5..efa2c4c1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -230,11 +230,13 @@ template(`userdom_user_content_access_template',`
                 userdom_manage_user_home_content_dirs($2)
                 userdom_manage_user_home_content_files($2)
                 userdom_manage_user_home_content_symlinks($2)
-               userdom_user_home_dir_filetrans_user_home_content($2, 
{dir file lnk_file})
         ')

         tunable_policy(`$1_manage_all_user_content',`
                 userdom_manage_all_user_home_content($2)
+       ')
+
+       tunable_policy(`$1_manage_generic_user_content || 
$1_manage_all_user_content',`
                 userdom_user_home_dir_filetrans_user_home_content($2, 
{dir file lnk_file})
         ')
  ')


diff --git a/firstboot.te b/firstboot.te
index d5fed3ec..e0b03894 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -85,7 +85,7 @@ userdom_user_content_access_template(firstboot, 
firstboot_t)
  tunable_policy(`firstboot_manage_generic_user_content',`
         userdom_manage_user_home_content_pipes(firstboot_t)
         userdom_manage_user_home_content_sockets(firstboot_t)
-       userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { 
dir file lnk_file fifo_file sock_file })
+       userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { 
fifo_file sock_file })
  ')

  optional_policy(`
diff --git a/gpg.te b/gpg.te
index b3830eeb..6c835b27 100644
--- a/gpg.te
+++ b/gpg.te
@@ -97,7 +97,7 @@ manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
  manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")

  gpg_stream_connect_agent(gpg_t)

diff --git a/java.te b/java.te
index 5cf7ec04..fe73df16 100644
--- a/java.te
+++ b/java.te
@@ -116,7 +116,7 @@ userdom_write_user_tmp_sockets(java_domain)
  tunable_policy(`java_manage_generic_user_content',`
         userdom_manage_user_home_content_pipes(java_domain)
         userdom_manage_user_home_content_sockets(java_domain)
-       userdom_user_home_dir_filetrans_user_home_content(java_domain, { 
file lnk_file sock_file fifo_file })
+       userdom_user_home_dir_filetrans_user_home_content(java_domain, { 
sock_file fifo_file })
  ')

  tunable_policy(`allow_java_execstack',`
diff --git a/mozilla.te b/mozilla.te
index 36ff6fbd..9cae4807 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -207,7 +207,6 @@ userdom_manage_user_tmp_dirs(mozilla_t)
  userdom_manage_user_tmp_files(mozilla_t)

  userdom_user_content_access_template(mozilla, { mozilla_t 
mozilla_plugin_t })
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })

  userdom_write_user_tmp_sockets(mozilla_t)

@@ -515,8 +514,6 @@ 
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
  userdom_manage_user_tmp_dirs(mozilla_plugin_t)
  userdom_manage_user_tmp_files(mozilla_plugin_t)

-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { 
dir file })
-
  userdom_write_user_tmp_sockets(mozilla_plugin_t)

  userdom_dontaudit_use_user_terminals(mozilla_plugin_t)


-- 
Chris PeBenito

  reply	other threads:[~2018-04-06 18:18 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-25 11:56 [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 1/7] Add gentemplates.sh to extract template content Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 2/7] Update segenxml to include support for templated booleans and tunables Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 3/7] Generate template code and update genxml call for documentation generation Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 4/7] freedesktop location support Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 5/7] Allow X server users to manage all xdg resources Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 6/7] helper interfaces to read/manage all user content Sven Vermeulen
2018-03-25 11:56 ` [refpolicy] [PATCH v3 7/7] tunable-managed user content access template Sven Vermeulen
2018-03-27 23:10 ` [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges Chris PeBenito
2018-04-06 18:18   ` Chris PeBenito [this message]
2018-04-27  6:29     ` Jason Zaman
2018-06-08 11:57       ` [refpolicy] [PATCH] userdom: remove filetrans from userdom_user_content_access_template Jason Zaman
2018-06-10 17:45 ` [refpolicy] [PATCH v3 0/7] X Desktop Group location support and reduced user content access privileges Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=465b9b93-5260-7047-1eeb-685f26d7728e@ieee.org \
    --to=pebenito@ieee.org \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).