SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: "Sugar, David" <dsugar@tresys.com>,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
Date: Sun, 17 Mar 2019 16:14:10 -0400
Message-ID: <abfce7dc-1fe6-a549-4395-80d5515e7171@ieee.org> (raw)
In-Reply-To: <36accfd4-7bc5-284e-5e9d-8684d1c51452@tresys.com>

On 3/14/19 10:22 PM, Sugar, David wrote:
> 
> 
> On 3/14/19 6:06 PM, Chris PeBenito wrote:
>> On 3/13/19 2:18 PM, Sugar, David wrote:
>>> I am having trouble with some denials due to the fact I am setting
>>> up specific private types for media attached to my system.  This
>>> changes to use an attribute for media and interfaces to add types
>>> to the newly created attribute
>>
>> What you implemented doesn't seem consistent with what you have in the
>> commit message.  sr0 is in your example denials, so these aren't all
>> fixed disk devices, so the interface names and the attribute names
>> should be related to all storage devices, it would seem.
>>
>>
> 
> No, they are not all fixed disk denials.  And maybe I should have split
> this into 2 (or 3) patches.  As I was making changes they all seemed
> related from my use case, but from your point of view I can see why they
> are probably different.  And I may not be explaining what I'm trying to
> accomplish clearly.
> 
> Basically I have two (or three) cases:
> 1) I want to provide distinct types for USB devices so that only certain
> domains are able to mount/umount/format/etc...  The attribute provides a
> way to grant access to things like lvm_t and kernel_t which still need
> to do stuff with the device nodes.  The USB devices /dev/sd* by default
> are labeled fixed_disk_device_t.
> 
> 2) I want to provide distinct types for certain hard disk/LVM
> partitions.  This will provide a way to restrict access to certain
> domains to alter those hard disk partitions (i.e. mount and umount and
> cryptsetup (to change LUKS password)).  At the same time this restricts
> those domains that need this specific hard disk access to still not have
> access to other partitions labeled fixed_disk_device_t.  i.e. so if this
> domain is compromised, it can only alter the single partition it has
> access to, not others.
> 
> 3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
> and /dev/sg1 with a separate type to better control access to write to
> the generic scsi device node to only the process who is writing optical
> media.  Again this provides a way to restrict access to the other
> /dev/sg* devices this process should not be accessing.  /dev/sr0 is
> removable_device_t by default but I also have some USB devices that
> present as cdrom devices get /dev/sr1 as the device node and by default
> are also labeled removable_device_t.
> 
> I am able to use specific udev rules to correctly setup the SELinux
> labels for these specific hard disk partitions, USB devices and optical
> drive.
> 
> I am also open to other recommendations for a better way to solve these
> denials without giving domains that only need to access a single device
> or partition access to all devices.

These do not seem upstreamable.  They sound very system-specific.


-- 
Chris PeBenito

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
2019-03-14 22:06   ` Chris PeBenito
2019-03-15  2:22     ` Sugar, David
2019-03-17 20:14       ` Chris PeBenito [this message]
2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
2019-03-15  2:27   ` [PATCH v4] " Sugar, David
2019-03-17 20:15     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=abfce7dc-1fe6-a549-4395-80d5515e7171@ieee.org \
    --to=pebenito@ieee.org \
    --cc=dsugar@tresys.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox