2011-11-07 03:08:00

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] user access to DOS files

The attached patch adds a new boolean for granting users access to dosfs_t.

Also in the same patch is a Debian specific patch to allow users to read
/var/lib/apt/lists. While it's generally best to split patches I think that
having an uncontroversial patch wrapped with distro_debian appended isn't a
big deal. If the dosfs_t patch is rejected I'll submit the Debian one
separately.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dos-files.diff
Type: text/x-patch
Size: 1196 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20111107/c4cd8cba/attachment.bin


2011-11-08 13:22:26

by cpebenito

[permalink] [raw]
Subject: [refpolicy] user access to DOS files

On 11/06/11 22:08, Russell Coker wrote:
> The attached patch adds a new boolean for granting users access to dosfs_t.
>
> Also in the same patch is a Debian specific patch to allow users to read
> /var/lib/apt/lists. While it's generally best to split patches I think that
> having an uncontroversial patch wrapped with distro_debian appended isn't a
> big deal. If the dosfs_t patch is rejected I'll submit the Debian one
> separately.

These are in userdom_base_user_template(); that is too low level of a template for these rules. That template is supposed to be as close to the absolute minimum usable user as possible. userdom_unpriv_user_template() or userdom_common_user_template() would be better choices.

> diff -ru ./policy/global_tunables /tmp/refpolicy/policy/global_tunables
> --- ./policy/global_tunables 2011-02-19 11:44:29.585412285 +1100
> +++ /tmp/refpolicy/policy/global_tunables 2011-11-07 13:22:19.258199269 +1100
> @@ -111,3 +111,10 @@
> ## </p>
> ## </desc>
> gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Allow users to manage files on dosfs_t devices, usually removable media
> +## </p>
> +## </desc>
> +gen_tunable(user_manage_dos_files,true)
> diff -ru ./policy/modules/system/userdomain.if /tmp/refpolicy/policy/modules/system/userdomain.if
> --- ./policy/modules/system/userdomain.if 2011-10-29 21:44:32.502459650 +1100
> +++ /tmp/refpolicy/policy/modules/system/userdomain.if 2011-11-07 13:22:19.310197159 +1100
> @@ -117,6 +118,19 @@
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
> +
> + tunable_policy(`user_manage_dos_files',`
> + fs_manage_dos_dirs($1_t)
> + fs_manage_dos_files($1_t)
> + ')
> +
> + ifdef(`distro_debian', `
> + # allow reading /var/lib/apt/lists
> + apt_read_db($1_t)
> + # allow reading /var/cache/apt - should not be needed but
> + # does not really matter
> + apt_read_cache($1_t)
> + ')
> ')
>
> #######################################



--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com