From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 01 Mar 2010 10:32:24 -0500 Subject: [refpolicy] Possible regression and bug in userdom_base_user_template In-Reply-To: <20100301150133.GG3990@myhost.felk.cvut.cz> References: <20100301102220.GF3990@myhost.felk.cvut.cz> <1267450925.30557.7.camel@gorn.columbia.tresys.com> <20100301150133.GG3990@myhost.felk.cvut.cz> Message-ID: <1267457544.30557.30.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2010-03-01 at 16:01 +0100, Michal Svoboda wrote: > Christopher J. PeBenito wrote: > > (have you looked to see what files are executable in /usr/share?) > > I don't seem to have any. But let's assume there are such. > > > I agree with Dan, I don't feel its a big deal. usr_t files should be > > high integrity system files, just like bin_t files are. > > It seems a little odd that usr_t privilege is in refpolicy, but bin_t is > a fedora ext. I don't know what you are referring to; I don't see such access in refpolicy. I can see that the base user template can read usr_t files, but not execute them. I even added a test user that only called the template and opened up the compiled policy with apol; it still did not have an execute permission on usr_t. > However, this all was beside my point. Suppose it's a good thing, the > way the base_user_template macro works right now. I understand that > user_u will want to poke wildlife things in /usr/share, but that doesn't > mean every se-user needs to that. So is there a macro that defines a > really minimal user? > > For example, if I want to create a restricted user type for sftp or svn > that does not require executing anything besides one fixed program, what > macro or template should I use? There is no template that restrictive. In fact, its impossible to accomplish that unless you have statically-linked programs, since dynamic linking requires execute on shared libraries. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150