From: Chris PeBenito <pebenito@ieee.org>
To: "Sugar, David" <dsugar@tresys.com>,
"selinux-refpolicy@vger.kernel.org"
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
Date: Sun, 17 Mar 2019 16:14:10 -0400 [thread overview]
Message-ID: <abfce7dc-1fe6-a549-4395-80d5515e7171@ieee.org> (raw)
In-Reply-To: <36accfd4-7bc5-284e-5e9d-8684d1c51452@tresys.com>
On 3/14/19 10:22 PM, Sugar, David wrote:
>
>
> On 3/14/19 6:06 PM, Chris PeBenito wrote:
>> On 3/13/19 2:18 PM, Sugar, David wrote:
>>> I am having trouble with some denials due to the fact I am setting
>>> up specific private types for media attached to my system. This
>>> changes to use an attribute for media and interfaces to add types
>>> to the newly created attribute
>>
>> What you implemented doesn't seem consistent with what you have in the
>> commit message. sr0 is in your example denials, so these aren't all
>> fixed disk devices, so the interface names and the attribute names
>> should be related to all storage devices, it would seem.
>>
>>
>
> No, they are not all fixed disk denials. And maybe I should have split
> this into 2 (or 3) patches. As I was making changes they all seemed
> related from my use case, but from your point of view I can see why they
> are probably different. And I may not be explaining what I'm trying to
> accomplish clearly.
>
> Basically I have two (or three) cases:
> 1) I want to provide distinct types for USB devices so that only certain
> domains are able to mount/umount/format/etc... The attribute provides a
> way to grant access to things like lvm_t and kernel_t which still need
> to do stuff with the device nodes. The USB devices /dev/sd* by default
> are labeled fixed_disk_device_t.
>
> 2) I want to provide distinct types for certain hard disk/LVM
> partitions. This will provide a way to restrict access to certain
> domains to alter those hard disk partitions (i.e. mount and umount and
> cryptsetup (to change LUKS password)). At the same time this restricts
> those domains that need this specific hard disk access to still not have
> access to other partitions labeled fixed_disk_device_t. i.e. so if this
> domain is compromised, it can only alter the single partition it has
> access to, not others.
>
> 3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
> and /dev/sg1 with a separate type to better control access to write to
> the generic scsi device node to only the process who is writing optical
> media. Again this provides a way to restrict access to the other
> /dev/sg* devices this process should not be accessing. /dev/sr0 is
> removable_device_t by default but I also have some USB devices that
> present as cdrom devices get /dev/sr1 as the device node and by default
> are also labeled removable_device_t.
>
> I am able to use specific udev rules to correctly setup the SELinux
> labels for these specific hard disk partitions, USB devices and optical
> drive.
>
> I am also open to other recommendations for a better way to solve these
> denials without giving domains that only need to access a single device
> or partition access to all devices.
These do not seem upstreamable. They sound very system-specific.
--
Chris PeBenito
next prev parent reply other threads:[~2019-03-17 20:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
2019-03-14 22:06 ` Chris PeBenito
2019-03-15 2:22 ` Sugar, David
2019-03-17 20:14 ` Chris PeBenito [this message]
2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
2019-03-15 2:27 ` [PATCH v4] " Sugar, David
2019-03-17 20:15 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abfce7dc-1fe6-a549-4395-80d5515e7171@ieee.org \
--to=pebenito@ieee.org \
--cc=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).