From: Laurent Bigonville <[email protected]>
---
policy/modules/kernel/corecommands.if | 2 +-
policy/modules/kernel/filesystem.if | 2 +-
policy/modules/kernel/kernel.if | 6 +++---
policy/modules/services/ssh.if | 2 +-
policy/modules/system/init.if | 4 ++--
policy/modules/system/libraries.if | 4 ++--
policy/modules/system/mount.if | 2 +-
policy/modules/system/unconfined.if | 4 ++--
8 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..6aea26e 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -51,7 +51,7 @@ interface(`corecmd_executable_file',`
## </param>
#
interface(`corecmd_bin_alias',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7c6b791..dbba365 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1790,7 +1790,7 @@ interface(`fs_manage_dos_files',`
#
# eventpollfs was changed to task SID 20060628
interface(`fs_read_eventpollfs',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 4bf45cb..cf7e492 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -299,7 +299,7 @@ interface(`kernel_dgram_send',`
## </param>
#
interface(`kernel_tcp_recvfrom',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -313,7 +313,7 @@ interface(`kernel_tcp_recvfrom',`
## </param>
#
interface(`kernel_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -327,7 +327,7 @@ interface(`kernel_udp_send',`
## </param>
#
interface(`kernel_udp_recvfrom',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..057a197 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -582,7 +582,7 @@ interface(`ssh_dontaudit_rw_tcp_sockets',`
## </param>
#
interface(`ssh_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..e608e05 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -670,7 +670,7 @@ interface(`init_dontaudit_use_fds',`
## </param>
#
interface(`init_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -1359,7 +1359,7 @@ interface(`init_rw_script_pipes',`
## </param>
#
interface(`init_udp_send_script',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..b24ebed 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -503,7 +503,7 @@ interface(`libs_relabel_shared_libs',`
## </param>
#
interface(`lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
@@ -532,5 +532,5 @@ interface(`lib_filetrans_shared_lib',`
## </param>
#
interface(`files_lib_filetrans_shared_lib',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4584457..2c7f07d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -126,7 +126,7 @@ interface(`mount_use_fds',`
## </param>
#
interface(`mount_send_nfs_client_request',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
########################################
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index db7aabb..74b171d 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -150,7 +150,7 @@ interface(`unconfined_domain',`
## </param>
#
interface(`unconfined_alias_domain',`
- refpolicywarn(`$0($1) has been deprecated.')
+ refpolicyerr(`$0($1) has been deprecated.')
')
########################################
@@ -176,7 +176,7 @@ interface(`unconfined_alias_domain',`
## </param>
#
interface(`unconfined_execmem_alias_program',`
- refpolicywarn(`$0($1) has been deprecated.')
+ refpolicyerr(`$0($1) has been deprecated.')
')
########################################
--
1.7.10.4
From: Mika Pfl?ger <[email protected]>
Add a new boolean to grant users access to dosfs_t.
---
policy/global_tunables | 7 +++++++
policy/modules/system/userdomain.if | 6 ++++++
2 files changed, 13 insertions(+)
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..43cc19a 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to manage files on dosfs_t devices, usually removable media
+## </p>
+## </desc>
+gen_tunable(user_manage_dos_files,true)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e720dcd..0c96b65 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ tunable_policy(`user_manage_dos_files',`
+ fs_manage_dos_dirs($1_t)
+ fs_manage_dos_files($1_t)
+ ')
+
')
#######################################
--
1.7.10.4
From: Mika Pfl?ger <[email protected]>
---
policy/modules/system/iptables.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0646ee7..6f2fb69 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
# Iptables local policy
#
+kernel_request_load_module(iptables_t)
allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
--
1.7.10.4
On 04/09/2012 23:21, Laurent Bigonville wrote:
> From: Mika Pfl?ger <[email protected]>
>
> ---
> policy/modules/system/iptables.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 0646ee7..6f2fb69 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
> # Iptables local policy
> #
>
> +kernel_request_load_module(iptables_t)
> allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
> dontaudit iptables_t self:capability sys_tty_config;
> allow iptables_t self:fifo_file rw_fifo_file_perms;
Is this for IPv6 ? It was not recommended in NSA security guidelines.
Has this now been changed ? If not, then perhaps it can be enclosed in
tunable policy ?
Regards,
Guido
On 04/09/2012 23:21, Laurent Bigonville wrote:
> From: Mika Pfl?ger <[email protected]>
>
> Add a new boolean to grant users access to dosfs_t.
> ---
> policy/global_tunables | 7 +++++++
> policy/modules/system/userdomain.if | 6 ++++++
> 2 files changed, 13 insertions(+)
>
> diff --git a/policy/global_tunables b/policy/global_tunables
> index 4705ab6..43cc19a 100644
> --- a/policy/global_tunables
> +++ b/policy/global_tunables
> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
> ## </p>
> ## </desc>
> gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Allow users to manage files on dosfs_t devices, usually removable media
> +## </p>
> +## </desc>
> +gen_tunable(user_manage_dos_files,true)
In my opinion is good to have this as on option, but in a secure
environment the default should be false for removable media.
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index e720dcd..0c96b65 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
> +
> + tunable_policy(`user_manage_dos_files',`
> + fs_manage_dos_dirs($1_t)
> + fs_manage_dos_files($1_t)
> + ')
> +
> ')
>
> #######################################
>
Regards,
Guido
On Wed, 5 Sep 2012, Guido Trentalancia <[email protected]> wrote:
> > +kernel_request_load_module(iptables_t)
> >
> > allow iptables_t self:capability { dac_read_search dac_override
> >net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
> > allow iptables_t self:fifo_file rw_fifo_file_perms;
>
> Is this for IPv6 ? It was not recommended in NSA security guidelines.
> Has this now been changed ? If not, then perhaps it can be enclosed in
> tunable policy ?
No, it happened on systems that didn't use any ip6tables commands.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Wed, 5 Sep 2012, Guido Trentalancia <[email protected]> wrote:
> > +## <desc>
> > +## <p>
> > +## Allow users to manage files on dosfs_t devices, usually removable
> > media +## </p>
> > +## </desc>
> > +gen_tunable(user_manage_dos_files,true)
>
> In my opinion is good to have this as on option, but in a secure
> environment the default should be false for removable media.
It's one setsebool command to make it "secure" in that regard. I think that
for most systems where you really don't want users reading files on FAT
filesystems you won't have the ability to even mount them (remove USB ports
etc). For the majority of servers there will be no physical access by
untrusted users. For the majority of desktop systems such access will be
desired and it's one more potential thing for less clueful people to cite as a
reason for not using SE Linux if it doesn't work by default.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
> On 04/09/2012 23:21, Laurent Bigonville wrote:
> > From: Mika Pfl?ger <[email protected]>
> >
> > Add a new boolean to grant users access to dosfs_t.
> > ---
> > policy/global_tunables | 7 +++++++
> > policy/modules/system/userdomain.if | 6 ++++++
> > 2 files changed, 13 insertions(+)
> >
> > diff --git a/policy/global_tunables b/policy/global_tunables
> > index 4705ab6..43cc19a 100644
> > --- a/policy/global_tunables
> > +++ b/policy/global_tunables
> > @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
> > ## </p>
> > ## </desc>
> > gen_tunable(user_tcp_server,false)
> > +
> > +## <desc>
> > +## <p>
> > +## Allow users to manage files on dosfs_t devices, usually removable media
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_manage_dos_files,true)
>
> In my opinion is good to have this as on option, but in a secure
> environment the default should be false for removable media.
i would prefer the boolean to be fprefix userdom or userdomain instead
of user, because that it the module that declares this boolean.
Since the user is also allowed to manage dos dirs i would probably call
it: userdomain_manage_dos_content
as description i would use:
"Determine whether users can manage dosfs content."
> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index e720dcd..0c96b65 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
> > # Allow making the stack executable via mprotect.
> > allow $1_t self:process execstack;
> > ')
> > +
> > + tunable_policy(`user_manage_dos_files',`
> > + fs_manage_dos_dirs($1_t)
> > + fs_manage_dos_files($1_t)
> > + ')
> > +
> > ')
> >
> > #######################################
> >
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
On 05/09/2012 09:00, Dominick Grift wrote:
>
>
> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>> From: Mika Pfl?ger <[email protected]>
>>>
>>> Add a new boolean to grant users access to dosfs_t.
>>> ---
>>> policy/global_tunables | 7 +++++++
>>> policy/modules/system/userdomain.if | 6 ++++++
>>> 2 files changed, 13 insertions(+)
>>>
>>> diff --git a/policy/global_tunables b/policy/global_tunables
>>> index 4705ab6..43cc19a 100644
>>> --- a/policy/global_tunables
>>> +++ b/policy/global_tunables
>>> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
>>> ## </p>
>>> ## </desc>
>>> gen_tunable(user_tcp_server,false)
>>> +
>>> +## <desc>
>>> +## <p>
>>> +## Allow users to manage files on dosfs_t devices, usually removable media
>>> +## </p>
>>> +## </desc>
>>> +gen_tunable(user_manage_dos_files,true)
>>
>> In my opinion is good to have this as on option, but in a secure
>> environment the default should be false for removable media.
>
> i would prefer the boolean to be fprefix userdom or userdomain instead
> of user, because that it the module that declares this boolean.
>
> Since the user is also allowed to manage dos dirs i would probably call
> it: userdomain_manage_dos_content
>
> as description i would use:
>
> "Determine whether users can manage dosfs content."
I agree. And, in particular it's not "dos files" which can be confusing,
but dos filesystems which is already perfectioned in Dominick's amendments.
>>> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
>>> index e720dcd..0c96b65 100644
>>> --- a/policy/modules/system/userdomain.if
>>> +++ b/policy/modules/system/userdomain.if
>>> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
>>> # Allow making the stack executable via mprotect.
>>> allow $1_t self:process execstack;
>>> ')
>>> +
>>> + tunable_policy(`user_manage_dos_files',`
>>> + fs_manage_dos_dirs($1_t)
>>> + fs_manage_dos_files($1_t)
>>> + ')
>>> +
>>> ')
>>>
>>> #######################################
On 05/09/2012 02:32, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <[email protected]> wrote:
>>> +## <desc>
>>> +## <p>
>>> +## Allow users to manage files on dosfs_t devices, usually removable
>>> media +## </p>
>>> +## </desc>
>>> +gen_tunable(user_manage_dos_files,true)
>>
>> In my opinion is good to have this as on option, but in a secure
>> environment the default should be false for removable media.
>
> It's one setsebool command to make it "secure" in that regard. I think that
> for most systems where you really don't want users reading files on FAT
> filesystems you won't have the ability to even mount them (remove USB ports
> etc). For the majority of servers there will be no physical access by
> untrusted users. For the majority of desktop systems such access will be
> desired and it's one more potential thing for less clueful people to cite as a
> reason for not using SE Linux if it doesn't work by default.
It depends in my opinion whether most desktops are "home" and "personal"
desktops or "office" desktops...
I do not have such figure at hand now.
But for sure, with business networks being routinely or randomly
monitored, one of the major source of leaks of confidential data from
companies nowadays is removable media.
Best regards,
Guido
On 05/09/2012 02:30, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <[email protected]> wrote:
>>> +kernel_request_load_module(iptables_t)
>>>
>>> allow iptables_t self:capability { dac_read_search dac_override
>>> net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
>>> allow iptables_t self:fifo_file rw_fifo_file_perms;
>>
>> Is this for IPv6 ? It was not recommended in NSA security guidelines.
>> Has this now been changed ? If not, then perhaps it can be enclosed in
>> tunable policy ?
>
> No, it happened on systems that didn't use any ip6tables commands.
So, what is the module that it needs to load ?
Guido
Le Wed, 05 Sep 2012 10:48:44 +0200,
Guido Trentalancia <[email protected]> a ?crit :
> On 05/09/2012 02:30, Russell Coker wrote:
> > On Wed, 5 Sep 2012, Guido Trentalancia <[email protected]>
> > wrote:
> >>> +kernel_request_load_module(iptables_t)
> >>>
> >>> allow iptables_t self:capability { dac_read_search dac_override
> >>> net_admin net_raw }; dontaudit iptables_t self:capability
> >>> sys_tty_config; allow iptables_t self:fifo_file
> >>> rw_fifo_file_perms;
> >>
> >> Is this for IPv6 ? It was not recommended in NSA security
> >> guidelines. Has this now been changed ? If not, then perhaps it
> >> can be enclosed in tunable policy ?
> >
> > No, it happened on systems that didn't use any ip6tables commands.
>
> So, what is the module that it needs to load ?
On my debian machine, running "iptables -vL" is automatically loading
iptable_filter, ip_tables, x_tables.
But anyway, it seems that iptables.te file on git master is already
containing that line (from 2009) a bit later in the code, so I guess
that patch can just be dropped.
Sorry for the noise,
Cheers
Laurent Bigonville
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
> On 05/09/2012 09:00, Dominick Grift wrote:
>>
>>
>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>> From: Mika Pfl?ger <[email protected]>
>>>>
>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>> policy/global_tunables | 7 +++++++
>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13
>>>> insertions(+)
>>>>
>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>
>>> In my opinion is good to have this as on option, but in a secure
>>> environment the default should be false for removable media.
>>
>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>> user, because that it the module that declares this boolean.
>>
>> Since the user is also allowed to manage dos dirs i would probably call
>> it: userdomain_manage_dos_content
>>
>> as description i would use:
>>
>> "Determine whether users can manage dosfs content."
>
> I agree. And, in particular it's not "dos files" which can be confusing,
> but dos filesystems which is already perfectioned in Dominick's
> amendments.
>
>>>> diff --git a/policy/modules/system/userdomain.if
>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>> --- a/policy/modules/system/userdomain.if +++
>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t)
>>>> + fs_manage_dos_files($1_t) + ') + ')
>>>>
>>>> #######################################
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
I think all booleans should be off by default and then the distributions can
decide which booleans to turn on using the booleans.conf file. This would
allow us one file to look at to see what is enabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBHUoMACgkQrlYvE4MpobMVPgCgwwQb/Vq1EYmSsagQNwF3iuTw
SasAn0ikgSzoEUB0TO9dU4tyS4oaifNz
=gc0X
-----END PGP SIGNATURE-----
On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <[email protected]>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables | 7 +++++++
>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t)
>>>>> + fs_manage_dos_files($1_t) + ') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file. This would
> allow us one file to look at to see what is enabled.
Yes, exactly. At least until Reference Policy decides to ship a few
official example booleans.conf configuration files in a separate
directory, to resemble typical situations/environments such as the one
already described as "personal", "home", "office" and so on.
Another possible point of failure with allowing by default filesystems
for other OSes is given by the presence of multi-boot systems. On such
systems, if one OS is compromised, it could in theory compromise the
others too.
So, in theory (and in my opinion), it's not just a matter of preventing
the mount of removable media, which as Russell Coker noted can be
disabled elsewhere...
Regards,
Guido
From: Mika Pfl?ger <[email protected]>
Add a new boolean to grant users access to dosfs_t.
---
policy/global_tunables | 7 +++++++
policy/modules/system/userdomain.if | 6 ++++++
2 files changed, 13 insertions(+)
diff --git a/policy/global_tunables b/policy/global_tunables
index 4705ab6..092df0b 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
## </p>
## </desc>
gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Determine whether users can manage dosfs content.
+## </p>
+## </desc>
+gen_tunable(userdomain_manage_dos_content,false)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e720dcd..949c738 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ tunable_policy(`userdomain_manage_dos_content',`
+ fs_manage_dos_dirs($1_t)
+ fs_manage_dos_files($1_t)
+ ')
+
')
#######################################
--
1.7.10.4
On 09/05/12 11:50, Laurent Bigonville wrote:
> From: Mika Pfl??ger <[email protected]>
>
> Add a new boolean to grant users access to dosfs_t.
> ---
> policy/global_tunables | 7 +++++++
> policy/modules/system/userdomain.if | 6 ++++++
> 2 files changed, 13 insertions(+)
>
> diff --git a/policy/global_tunables b/policy/global_tunables
> index 4705ab6..092df0b 100644
> --- a/policy/global_tunables
> +++ b/policy/global_tunables
> @@ -111,3 +111,10 @@ gen_tunable(use_samba_home_dirs,false)
> ## </p>
> ## </desc>
> gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Determine whether users can manage dosfs content.
> +## </p>
> +## </desc>
> +gen_tunable(userdomain_manage_dos_content,false)
This should be moved to the userdomain module, as its effect is only in that module. Global tunables should only be used if the tunable is used in multiple modules.
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index e720dcd..949c738 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -117,6 +117,12 @@ template(`userdom_base_user_template',`
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
> +
> + tunable_policy(`userdomain_manage_dos_content',`
> + fs_manage_dos_dirs($1_t)
> + fs_manage_dos_files($1_t)
> + ')
> +
This is too low level of a template for this access. It should be moved to a higher level template such as userdom_common_user_template. userdom_base_user_template is supposed to define the most minimal user.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello Daniel.
Following your reflections, I have checked the current situation and I
share the concerns, so I have created a patch which disables most
tunable policy booleans (except network and the mcelog module as it
deals amongst other things with CPU thermal events which can be related
to hardware failures).
On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <[email protected]>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables | 7 +++++++
>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t)
>>>>> + fs_manage_dos_files($1_t) + ') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file. This would
> allow us one file to look at to see what is enabled.
Turn off all/most tunable policy booleans by default
in Reference Policy (except network).
They can be enabled on a per-distribution basis
and many of those that were enabled were somehow
risky as defaults.
Signed-off-by: Guido Trentalancia <[email protected]>
---
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
--- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te Thu
Sep 6 10:56:21 2012
@@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true)
## print out usage and version information.
## </p>
## </desc>
-gen_tunable(mcelog_foreground, true)
+gen_tunable(mcelog_foreground, false)
## <desc>
## <p>
@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false)
## syslog option.
## </p>
## </desc>
-gen_tunable(mcelog_syslog, true)
+gen_tunable(mcelog_syslog, false)
type mcelog_t;
type mcelog_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/qemu.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
--- refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
Thu Sep 6 10:53:27 2012
@@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false)
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
-gen_tunable(qemu_use_cifs, true)
+gen_tunable(qemu_use_cifs, false)
## <desc>
## <p>
@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false)
## Allow qemu to use nfs file systems
## </p>
## </desc>
-gen_tunable(qemu_use_nfs, true)
+gen_tunable(qemu_use_nfs, false)
## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
-gen_tunable(qemu_use_usb, true)
+gen_tunable(qemu_use_usb, false)
type qemu_exec_t;
virt_domain_template(qemu)
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/rpc.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te
--- refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te
Thu Sep 6 10:54:59 2012
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, true)
+gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
diff -pru
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
---
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
Thu Sep 6 10:54:20 2012
@@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa
## Allow spamd to read/write user home directories.
## </p>
## </desc>
-gen_tunable(spamd_enable_home_dirs, true)
+gen_tunable(spamd_enable_home_dirs, false)
type spamassassin_t;
type spamassassin_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/virt.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
--- refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
Thu Sep 6 10:54:05 2012
@@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false)
## Allow virt to use usb devices
## </p>
## </desc>
-gen_tunable(virt_use_usb, true)
+gen_tunable(virt_use_usb, false)
virt_domain_template(svirt)
role system_r types svirt_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xen.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te
Thu Sep 6 10:54:41 2012
@@ -11,7 +11,7 @@ policy_module(xen, 1.12.0)
## Not required if using dedicated logical volumes for disk images.
## </p>
## </desc>
-gen_tunable(xend_run_blktap, true)
+gen_tunable(xend_run_blktap, false)
## <desc>
## <p>
@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true)
## Not required if using paravirt and no vfb.
## </p>
## </desc>
-gen_tunable(xend_run_qemu, true)
+gen_tunable(xend_run_qemu, false)
## <desc>
## <p>
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xguest.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te Thu
Sep 6 10:53:49 2012
@@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0)
## Allow xguest users to mount removable media
## </p>
## </desc>
-gen_tunable(xguest_mount_media, true)
+gen_tunable(xguest_mount_media, false)
## <desc>
## <p>
## Allow xguest to configure Network Manager
## </p>
## </desc>
-gen_tunable(xguest_connect_network, true)
+gen_tunable(xguest_connect_network, false)
## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
-gen_tunable(xguest_use_bluetooth, true)
+gen_tunable(xguest_use_bluetooth, false)
role xguest_r;
diff -pru
refpolicy-09062012-git-master/policy/modules/services/postgresql.te
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
--- refpolicy-09062012-git-master/policy/modules/services/postgresql.te
Thu Sep 6 10:50:18 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
Thu Sep 6 10:51:57 2012
@@ -23,7 +23,7 @@ gen_require(`
## Allow unprived users to execute DDL statement
## </p>
## </desc>
-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(sepgsql_enable_users_ddl, false)
## <desc>
## <p>
@@ -37,7 +37,7 @@ gen_tunable(sepgsql_transmit_client_labe
## Allow database admins to execute DML statement
## </p>
## </desc>
-gen_tunable(sepgsql_unconfined_dbadm, true)
+gen_tunable(sepgsql_unconfined_dbadm, false)
type postgresql_t;
type postgresql_exec_t;
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2012 07:14 AM, Guido Trentalancia wrote:
> Hello Daniel.
>
> Following your reflections, I have checked the current situation and I
> share the concerns, so I have created a patch which disables most tunable
> policy booleans (except network and the mcelog module as it deals amongst
> other things with CPU thermal events which can be related to hardware
> failures).
>
> On 05/09/2012 15:24, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>>
>>>>
>>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>>> From: Mika Pfl?ger <[email protected]>
>>>>>>
>>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>>> policy/global_tunables | 7 +++++++
>>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files
>>>>>> changed, 13 insertions(+)
>>>>>>
>>>>>> diff --git a/policy/global_tunables b/policy/global_tunables
>>>>>> index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +##
>>>>>> Allow users to manage files on dosfs_t devices, usually removable
>>>>>> media +## </p> +## </desc>
>>>>>> +gen_tunable(user_manage_dos_files,true)
>>>>>
>>>>> In my opinion is good to have this as on option, but in a secure
>>>>> environment the default should be false for removable media.
>>>>
>>>> i would prefer the boolean to be fprefix userdom or userdomain
>>>> instead of user, because that it the module that declares this
>>>> boolean.
>>>>
>>>> Since the user is also allowed to manage dos dirs i would probably
>>>> call it: userdomain_manage_dos_content
>>>>
>>>> as description i would use:
>>>>
>>>> "Determine whether users can manage dosfs content."
>>>
>>> I agree. And, in particular it's not "dos files" which can be
>>> confusing, but dos filesystems which is already perfectioned in
>>> Dominick's amendments.
>>>
>>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65
>>>>>> 100644 --- a/policy/modules/system/userdomain.if +++
>>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>>> executable via mprotect. allow $1_t self:process execstack; ') +
>>>>>> + tunable_policy(`user_manage_dos_files',` +
>>>>>> fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) +
>>>>>> ') + ')
>>>>>>
>>>>>> #######################################
>>>
>>> _______________________________________________ refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>> I think all booleans should be off by default and then the distributions
>> can decide which booleans to turn on using the booleans.conf file. This
>> would allow us one file to look at to see what is enabled.
>
> Turn off all/most tunable policy booleans by default in Reference Policy
> (except network).
>
> They can be enabled on a per-distribution basis and many of those that were
> enabled were somehow risky as defaults.
>
> Signed-off-by: Guido Trentalancia <[email protected]> ---
>
> diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
> --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
> Thu Sep 6 10:56:21 2012 @@ -30,7 +30,7 @@
> gen_tunable(mcelog_exec_scripts, true) ## print out usage and version
> information. ## </p> ## </desc> -gen_tunable(mcelog_foreground, true)
> +gen_tunable(mcelog_foreground, false)
>
> ## <desc> ## <p> @@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ##
> syslog option. ## </p> ## </desc> -gen_tunable(mcelog_syslog, true)
> +gen_tunable(mcelog_syslog, false)
>
> type mcelog_t; type mcelog_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug 23
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
> Thu Sep 6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network,
> false) ## Allow qemu to use cifs/Samba file systems ## </p> ## </desc>
> -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false)
>
> ## <desc> ## <p> @@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ##
> Allow qemu to use nfs file systems ## </p> ## </desc>
> -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false)
>
> ## <desc> ## <p> ## Allow qemu to use usb devices ## </p> ## </desc>
> -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false)
>
> type qemu_exec_t; virt_domain_template(qemu) diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug 23
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu
> Sep 6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow
> gssd to read temp directory. For access to kerberos tgt. ## </p> ##
> </desc> -gen_tunable(allow_gssd_read_tmp, true)
> +gen_tunable(allow_gssd_read_tmp, false)
>
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
>
- --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
>
Thu Sep 6 10:54:20 2012
> @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd
> to read/write user home directories. ## </p> ## </desc>
> -gen_tunable(spamd_enable_home_dirs, true)
> +gen_tunable(spamd_enable_home_dirs, false)
>
> type spamassassin_t; type spamassassin_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug 23
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
> Thu Sep 6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs,
> false) ## Allow virt to use usb devices ## </p> ## </desc>
> -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false)
>
> virt_domain_template(svirt) role system_r types svirt_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug 23
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu
> Sep 6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not
> required if using dedicated logical volumes for disk images. ## </p> ##
> </desc> -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap,
> false)
>
> ## <desc> ## <p> @@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ##
> Not required if using paravirt and no vfb. ## </p> ## </desc>
> -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false)
>
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xguest.te
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
> --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
> Thu Sep 6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0)
> ## Allow xguest users to mount removable media ## </p> ## </desc>
> -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media,
> false)
>
> ## <desc> ## <p> ## Allow xguest to configure Network Manager ## </p> ##
> </desc> -gen_tunable(xguest_connect_network, true)
> +gen_tunable(xguest_connect_network, false)
>
> ## <desc> ## <p> ## Allow xguest to use blue tooth devices ## </p> ##
> </desc> -gen_tunable(xguest_use_bluetooth, true)
> +gen_tunable(xguest_use_bluetooth, false)
>
> role xguest_r;
>
> diff -pru
> refpolicy-09062012-git-master/policy/modules/services/postgresql.te
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
>
- --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep
> 6 10:50:18 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
>
Thu Sep 6 10:51:57 2012
> @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL
> statement ## </p> ## </desc> -gen_tunable(sepgsql_enable_users_ddl, true)
> +gen_tunable(sepgsql_enable_users_ddl, false)
>
> ## <desc> ## <p> @@ -37,7 +37,7 @@
> gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to
> execute DML statement ## </p> ## </desc>
> -gen_tunable(sepgsql_unconfined_dbadm, true)
> +gen_tunable(sepgsql_unconfined_dbadm, false)
>
> type postgresql_t; type postgresql_exec_t;
>
That looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBInPMACgkQrlYvE4MpobMJrQCfY6dUKRIs/7FCJSwAuDweNkU1
9koAn25rZqW1R1Km6q9+ygRZW7Y76TvU
=lxXC
-----END PGP SIGNATURE-----
Le Tue, 4 Sep 2012 23:21:08 +0200,
Laurent Bigonville <[email protected]> a ?crit :
> + tunable_policy(`user_manage_dos_files',`
> + fs_manage_dos_dirs($1_t)
> + fs_manage_dos_files($1_t)
> + ')
> +
> ')
I was reading the code further and isn't the proposed patch actually
redundant with user_rw_noexattrfile?
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
',`
fs_read_noxattr_fs_files($1_t)
')
So shouldn't the proposed patch simply be dropped?
Cheers
Laurent Bigonville
On 06/09/2012 16:24, Laurent Bigonville wrote:
> Le Tue, 4 Sep 2012 23:21:08 +0200,
> Laurent Bigonville <[email protected]> a ?crit :
>
>> + tunable_policy(`user_manage_dos_files',`
>> + fs_manage_dos_dirs($1_t)
>> + fs_manage_dos_files($1_t)
>> + ')
>> +
>> ')
>
> I was reading the code further and isn't the proposed patch actually
> redundant with user_rw_noexattrfile?
>
> tunable_policy(`user_rw_noexattrfile',`
> fs_manage_noxattr_fs_files($1_t)
> fs_manage_noxattr_fs_dirs($1_t)
> ',`
> fs_read_noxattr_fs_files($1_t)
> ')
>
> So shouldn't the proposed patch simply be dropped?
Fortunately, it has not been applied, I think. And if it causes problems
and degradation of current policy, as you now recognize, why did you
post it in the first place then ?
> Cheers
>
> Laurent Bigonville
On 06/09/2012 18:31, Guido Trentalancia wrote:
> On 06/09/2012 16:24, Laurent Bigonville wrote:
>> Le Tue, 4 Sep 2012 23:21:08 +0200,
>> Laurent Bigonville <[email protected]> a ?crit :
>>
>>> + tunable_policy(`user_manage_dos_files',`
>>> + fs_manage_dos_dirs($1_t)
>>> + fs_manage_dos_files($1_t)
>>> + ')
>>> +
>>> ')
>>
>> I was reading the code further and isn't the proposed patch actually
>> redundant with user_rw_noexattrfile?
>>
>> tunable_policy(`user_rw_noexattrfile',`
>> fs_manage_noxattr_fs_files($1_t)
>> fs_manage_noxattr_fs_dirs($1_t)
>> ',`
>> fs_read_noxattr_fs_files($1_t)
>> ')
>>
>> So shouldn't the proposed patch simply be dropped?
>
> Fortunately, it has not been applied, I think. And if it causes problems
> and degradation of current policy, as you now recognize, why did you
> post it in the first place then ?
The version above does not exclude xattr so it leads to marked security
flaw. It also leads to another security risk as already pointed out in
previous messages (no disabled boolean for cross-OS filesystems write).
This project goes in the opposite direction, I suppose...
On 06/09/2012 18:31, Guido Trentalancia wrote:
> On 06/09/2012 16:24, Laurent Bigonville wrote:
>> Le Tue, 4 Sep 2012 23:21:08 +0200,
>> Laurent Bigonville <[email protected]> a ?crit :
>>
>>> + tunable_policy(`user_manage_dos_files',`
>>> + fs_manage_dos_dirs($1_t)
>>> + fs_manage_dos_files($1_t)
>>> + ')
>>> +
>>> ')
>>
>> I was reading the code further and isn't the proposed patch actually
>> redundant with user_rw_noexattrfile?
>>
>> tunable_policy(`user_rw_noexattrfile',`
>> fs_manage_noxattr_fs_files($1_t)
>> fs_manage_noxattr_fs_dirs($1_t)
>> ',`
>> fs_read_noxattr_fs_files($1_t)
>> ')
>>
>> So shouldn't the proposed patch simply be dropped?
>
> Fortunately, it has not been applied, I think. And if it causes problems
> and degradation of current policy, as you now recognize, why did you
> post it in the first place then ?
If you want to have some fun with filesystem-related things, then a very
light supplemental patch might be needed for latest versions of the
ntfs-3g project, as far as I remember from testing. It would need to
have FUSE support, but optionalized (through good use of tunable policy
which means do not allow by default the loading of fuse.ko kernel module
and a few other related permissions that are only needed in FUSE
supporting versions).