2017-04-27 23:45:33

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions

Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).

Thanks to Dominick Grift for suggesting this.

Other modules are likely affected by the same issue.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/locallogin.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/policy/modules/system/locallogin.te 2017-04-26 17:47:14.080423048 +0200
+++ b/policy/modules/system/locallogin.te 2017-04-28 01:33:10.287540604 +0200
@@ -216,7 +216,8 @@ optional_policy(`
# Sulogin local policy
#

-allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
+dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
allow sulogin_t self:process setexec;
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;


2017-04-29 15:31:41

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions

On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote:
> Improve the locallogin module by curbing on dac_override permissions
> in the sulogin domain (read/search permissions only).
>
> Thanks to Dominick Grift for suggesting this.
>
> Other modules are likely affected by the same issue.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/system/locallogin.te | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/system/locallogin.te 2017-04-26 17:47:14.080423048 +0200
> +++ b/policy/modules/system/locallogin.te 2017-04-28 01:33:10.287540604 +0200
> @@ -216,7 +216,8 @@ optional_policy(`
> # Sulogin local policy
> #
>
> -allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
> +dontaudit sulogin_t self:capability dac_override;
> +allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
> allow sulogin_t self:process setexec;
> allow sulogin_t self:fd use;
> allow sulogin_t self:fifo_file rw_fifo_file_perms;

Merged. Unfortunately, since the dac_read_search was checked after
dac_override for so long, this issue is possibly very prevalent in the
policy.

--
Chris PeBenito

2017-04-29 18:23:16

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions

Hello Christopher.

On Sat, 29/04/2017 at 11.31 -0400, Chris PeBenito wrote:
> On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote:
> > Improve the locallogin module by curbing on dac_override
> > permissions
> > in the sulogin domain (read/search permissions only).
> >
> > Thanks to Dominick Grift for suggesting this.
> >
> > Other modules are likely affected by the same issue.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/system/locallogin.te |????3 ++-
> > ?1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > --- a/policy/modules/system/locallogin.te 2017-04-26
> > 17:47:14.080423048 +0200
> > +++ b/policy/modules/system/locallogin.te 2017-04-28
> > 01:33:10.287540604 +0200
> > @@ -216,7 +216,8 @@ optional_policy(`
> > ?# Sulogin local policy
> > ?#
> >
> > -allow sulogin_t self:capability { dac_override sys_admin
> > sys_tty_config };
> > +dontaudit sulogin_t self:capability dac_override;
> > +allow sulogin_t self:capability { dac_read_search sys_admin
> > sys_tty_config };
> > ?allow sulogin_t self:process setexec;
> > ?allow sulogin_t self:fd use;
> > ?allow sulogin_t self:fifo_file rw_fifo_file_perms;
>
> Merged.??Unfortunately, since the dac_read_search was checked after?
> dac_override for so long, this issue is possibly very prevalent in
> the?
> policy.

We'll fix that with time. It shouldn't be given the highest priority,
in my opinion.

What I think should be given the highest priority is testing the whole
policy without the unconfined module.

After that, the second highest priority should be given, in my opinion,
to the user data confidentiality patch.

Then, we can tackle this dac_override/dac_read_search issue throughout
the rest of the policy.

I'll do my best in the future to keep in mind about this and eventually
provide improved policy.

Regards,

Guido