The following issue has been playing for a while and i see it coming
back from time to time.
In my previous patch set "Simplify user content" it came up again:
If we create attributes like user_home_type, user_tmp_type and
user_tmpfs_type for the various user content, and we edit the
userdom_manage_home, tmp and tmpfs roles to allow the caller manage and
relabel access respectively. This would mean that for example xguest
would be able to manage /relabel thunderbird_home_t. A file that it
should not be able to manage/relabel since xguest cannot run thunderbird
in the thunderbird_home_t domain (this is just one example)
So i suggested splitting these userdom interfaces into :
userdom_manage_all and userdom_manage_generic home/tmp/tmpfs_roles.
This way we can allow common user access to all user_ home/tmp/tmpfs
_type by letting common users call
userdom_manage_all_home/tmp/tmpfs_role(), and we can allow restricted
users like xguest to manage only generic home/tmp/tmpfs files by letting
them call userdom_manage_generic_home/tmp/tmpfs_role(). For these
restricted users it would be required to give them access to non generic
type implicitly.
For example xguest can transition to mozilla and nsplugin thus besides
managing/relabeling generic content , xguest would also be able to
manage /relabel mozilla user content as well as nsplugin user content.
This same issue is also surfacing in Fedoras use of config files.
Fedora added access to attribute configfile in "files_read_etc_files()".
This interface is only for generic files in etc (etc_t) and not for all
files in etc regardless of their type or any other types with the
configfile attribute.
Instead we have file_read_config for that.
Common users should be as close as possible to regular linux users. Thus
in that regard they should be able to read all config files.
But xguest, which is a restricted user should not have all those
permissions. Instead restricted users should only get the access they
really need.
So by letting xguest call files_read_etc_files one essentially allows it
to read any config file if you add access to the configfile attribute in
files_read_etc_file.
Instead xguest only needs to read xdm_etc_t and gconfd_etc_t (and maybe
some generic files in etc)
What i am getting at here is the differentiation between restricted vs.
common and generic versus all.
We can i hope agree that common users should be as close as general (not
mac) linux users.
We can i hope agree that restricted users should be restricted as much
as possible.
So:
common users can read all config files (files_read_config)
restricted user can only read generic config files
(files_read_etc_files) and non generic files in etc that it strictly
needs to be able to work (read gconfd_etc_t and xdm_etc_t)
Same for user home/tmp/tmpfs types.
common users can manage and relabel all user content
restricted (login) users can only manage and relabel generic user
content and non generic user content that it strictly needs to be able
to work (example for xguest: mozilla_home_t, mozilla_tmp_t, mozilla_tmpfs_t)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/74c76455/attachment.bin