From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 01 Mar 2010 10:32:24 -0500
Subject: [refpolicy] Possible regression and bug in
 userdom_base_user_template
In-Reply-To: <20100301150133.GG3990@myhost.felk.cvut.cz>
References: <20100301102220.GF3990@myhost.felk.cvut.cz>
	<1267450925.30557.7.camel@gorn.columbia.tresys.com>
	<20100301150133.GG3990@myhost.felk.cvut.cz>
Message-ID: <1267457544.30557.30.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-03-01 at 16:01 +0100, Michal Svoboda wrote:
> Christopher J. PeBenito wrote:
> > (have you looked to see what files are executable in /usr/share?)
> 
> I don't seem to have any. But let's assume there are such.
> 
> > I agree with Dan, I don't feel its a big deal.  usr_t files should be
> > high integrity system files, just like bin_t files are.
> 
> It seems a little odd that usr_t privilege is in refpolicy, but bin_t is
> a fedora ext.

I don't know what you are referring to; I don't see such access in
refpolicy.  I can see that the base user template can read usr_t files,
but not execute them.  I even added a test user that only called the
template and opened up the compiled policy with apol; it still did not
have an execute permission on usr_t.

> However, this all was beside my point. Suppose it's a good thing, the
> way the base_user_template macro works right now. I understand that
> user_u will want to poke wildlife things in /usr/share, but that doesn't
> mean every se-user needs to that. So is there a macro that defines a
> really minimal user?
> 
> For example, if I want to create a restricted user type for sftp or svn
> that does not require executing anything besides one fixed program, what
> macro or template should I use?

There is no template that restrictive.  In fact, its impossible to
accomplish that unless you have statically-linked programs, since
dynamic linking requires execute on shared libraries.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150