Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device

[Chris PeBenito <pebenito@ieee.org>]

On 3/14/19 10:22 PM, Sugar, David wrote:
> 
> 
> On 3/14/19 6:06 PM, Chris PeBenito wrote:
>> On 3/13/19 2:18 PM, Sugar, David wrote:
>>> I am having trouble with some denials due to the fact I am setting
>>> up specific private types for media attached to my system.  This
>>> changes to use an attribute for media and interfaces to add types
>>> to the newly created attribute
>>
>> What you implemented doesn't seem consistent with what you have in the
>> commit message.  sr0 is in your example denials, so these aren't all
>> fixed disk devices, so the interface names and the attribute names
>> should be related to all storage devices, it would seem.
>>
>>
> 
> No, they are not all fixed disk denials.  And maybe I should have split
> this into 2 (or 3) patches.  As I was making changes they all seemed
> related from my use case, but from your point of view I can see why they
> are probably different.  And I may not be explaining what I'm trying to
> accomplish clearly.
> 
> Basically I have two (or three) cases:
> 1) I want to provide distinct types for USB devices so that only certain
> domains are able to mount/umount/format/etc...  The attribute provides a
> way to grant access to things like lvm_t and kernel_t which still need
> to do stuff with the device nodes.  The USB devices /dev/sd* by default
> are labeled fixed_disk_device_t.
> 
> 2) I want to provide distinct types for certain hard disk/LVM
> partitions.  This will provide a way to restrict access to certain
> domains to alter those hard disk partitions (i.e. mount and umount and
> cryptsetup (to change LUKS password)).  At the same time this restricts
> those domains that need this specific hard disk access to still not have
> access to other partitions labeled fixed_disk_device_t.  i.e. so if this
> domain is compromised, it can only alter the single partition it has
> access to, not others.
> 
> 3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
> and /dev/sg1 with a separate type to better control access to write to
> the generic scsi device node to only the process who is writing optical
> media.  Again this provides a way to restrict access to the other
> /dev/sg* devices this process should not be accessing.  /dev/sr0 is
> removable_device_t by default but I also have some USB devices that
> present as cdrom devices get /dev/sr1 as the device node and by default
> are also labeled removable_device_t.
> 
> I am able to use specific udev rules to correctly setup the SELinux
> labels for these specific hard disk partitions, USB devices and optical
> drive.
> 
> I am also open to other recommendations for a better way to solve these
> denials without giving domains that only need to access a single device
> or partition access to all devices.

These do not seem upstreamable.  They sound very system-specific.


-- 
Chris PeBenito