gssd needs to be able to add entries to the kerberos credential
cache. This adds a boolean to allow that.
---
rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/rpc.te b/rpc.te
index 1a6dcc0..f2e44d5 100644
--- a/rpc.te
+++ b/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_write_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')
--
1.8.5.5
On 07/23/2014 10:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
> ---
> rpc.te | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/rpc.te b/rpc.te
> index 1a6dcc0..f2e44d5 100644
> --- a/rpc.te
> +++ b/rpc.te
> @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
>
> ## <desc>
> ## <p>
> +## Determine whether gssd can write
> +## generic user temporary content.
> +## </p>
> +## </desc>
> +gen_tunable(allow_gssd_write_tmp, false)
> +
> +## <desc>
> +## <p>
> ## Determine whether nfs can modify
> ## public files used for public file
> ## transfer services. Directories/Files must
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> userdom_read_user_tmp_symlinks(gssd_t)
> ')
>
> +tunable_policy(`allow_gssd_write_tmp',`
> + userdom_list_user_tmp(gssd_t)
> + userdom_write_user_tmp_files(gssd_t)
> +')
> +
> optional_policy(`
> automount_signal(gssd_t)
> ')
We probably want to think about better boolean name for this one. Maybe
gssd_write_user_tmp_files
On Thu, Jul 24, 2014 at 10:35:31AM +0200, Miroslav Grepl wrote:
> On 07/23/2014 10:31 PM, Jason Zaman wrote:
> > gssd needs to be able to add entries to the kerberos credential
> > cache. This adds a boolean to allow that.
> > ---
> > rpc.te | 13 +++++++++++++
> > 1 file changed, 13 insertions(+)
> >
> > diff --git a/rpc.te b/rpc.te
> > index 1a6dcc0..f2e44d5 100644
> > --- a/rpc.te
> > +++ b/rpc.te
> > @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
> >
> > ## <desc>
> > ## <p>
> > +## Determine whether gssd can write
> > +## generic user temporary content.
> > +## </p>
> > +## </desc>
> > +gen_tunable(allow_gssd_write_tmp, false)
> > +
> > +## <desc>
> > +## <p>
> > ## Determine whether nfs can modify
> > ## public files used for public file
> > ## transfer services. Directories/Files must
> > @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> > userdom_read_user_tmp_symlinks(gssd_t)
> > ')
> >
> > +tunable_policy(`allow_gssd_write_tmp',`
> > + userdom_list_user_tmp(gssd_t)
> > + userdom_write_user_tmp_files(gssd_t)
> > +')
> > +
> > optional_policy(`
> > automount_signal(gssd_t)
> > ')
> We probably want to think about better boolean name for this one. Maybe
>
> gssd_write_user_tmp_files
That does sound better yes. I was basing it off the already existing
read boolean. The original read one should be renamed too then probably.
In that case, do these sound better?
gssd_write_user_tmp_files
gssd_read_user_tmp_files
I can send a patch that renames the read one and adds the new write bool.
On 7/23/2014 4:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
[...]
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> userdom_read_user_tmp_symlinks(gssd_t)
> ')
>
> +tunable_policy(`allow_gssd_write_tmp',`
> + userdom_list_user_tmp(gssd_t)
> + userdom_write_user_tmp_files(gssd_t)
> +')
> +
Are you sure that these credential caches can't have more specific
labels, e.g. by name filetrans?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, Jul 25, 2014 at 08:19:16AM -0400, Christopher J. PeBenito wrote:
> On 7/23/2014 4:31 PM, Jason Zaman wrote:
> > gssd needs to be able to add entries to the kerberos credential
> > cache. This adds a boolean to allow that.
> [...]
> > @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> > userdom_read_user_tmp_symlinks(gssd_t)
> > ')
> >
> > +tunable_policy(`allow_gssd_write_tmp',`
> > + userdom_list_user_tmp(gssd_t)
> > + userdom_write_user_tmp_files(gssd_t)
> > +')
> > +
>
> Are you sure that these credential caches can't have more specific
> labels, e.g. by name filetrans?
That was sort of the point of my original question, the file is
/tmp/krb5cc_1000 ie depends on the uid. A named transition is not quite
possible but having something like krb_user_tmp_t would work then gssd
could get only access to that instead of every single user_tmp_t.
I don't know enough about the details of kerberos but I think only the
kernel and kinit/klist/etc need to be able to read the credential
cache file so having it labelled as user_tmp_t is a bit strange.
-- Jason
On 07/25/2014 08:37 AM, Jason Zaman wrote:
> On Fri, Jul 25, 2014 at 08:19:16AM -0400, Christopher J. PeBenito wrote:
>> On 7/23/2014 4:31 PM, Jason Zaman wrote:
>>> gssd needs to be able to add entries to the kerberos credential
>>> cache. This adds a boolean to allow that.
>> [...]
>>> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>>> userdom_read_user_tmp_symlinks(gssd_t)
>>> ')
>>>
>>> +tunable_policy(`allow_gssd_write_tmp',`
>>> + userdom_list_user_tmp(gssd_t)
>>> + userdom_write_user_tmp_files(gssd_t)
>>> +')
>>> +
>> Are you sure that these credential caches can't have more specific
>> labels, e.g. by name filetrans?
> That was sort of the point of my original question, the file is
> /tmp/krb5cc_1000 ie depends on the uid. A named transition is not quite
> possible but having something like krb_user_tmp_t would work then gssd
> could get only access to that instead of every single user_tmp_t.
>
> I don't know enough about the details of kerberos but I think only the
> kernel and kinit/klist/etc need to be able to read the credential
> cache file so having it labelled as user_tmp_t is a bit strange.
>
> -- Jason
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
No the name is randomized not just krb_UID It needs to be randomized to
stop other users from attacking your system.
Just like any named content in /tmp.
If we had SimpleGlob support in the kernel then we could do a file name
transition on something like krb*
But that does not exist.