From: domg472@gmail.com (Dominick Grift) Date: Mon, 12 Jul 2010 15:32:23 +0200 Subject: [refpolicy] common users and restricted users vs. access to all and access to generic only. Message-ID: <4C3B1967.1090901@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following issue has been playing for a while and i see it coming back from time to time. In my previous patch set "Simplify user content" it came up again: If we create attributes like user_home_type, user_tmp_type and user_tmpfs_type for the various user content, and we edit the userdom_manage_home, tmp and tmpfs roles to allow the caller manage and relabel access respectively. This would mean that for example xguest would be able to manage /relabel thunderbird_home_t. A file that it should not be able to manage/relabel since xguest cannot run thunderbird in the thunderbird_home_t domain (this is just one example) So i suggested splitting these userdom interfaces into : userdom_manage_all and userdom_manage_generic home/tmp/tmpfs_roles. This way we can allow common user access to all user_ home/tmp/tmpfs _type by letting common users call userdom_manage_all_home/tmp/tmpfs_role(), and we can allow restricted users like xguest to manage only generic home/tmp/tmpfs files by letting them call userdom_manage_generic_home/tmp/tmpfs_role(). For these restricted users it would be required to give them access to non generic type implicitly. For example xguest can transition to mozilla and nsplugin thus besides managing/relabeling generic content , xguest would also be able to manage /relabel mozilla user content as well as nsplugin user content. This same issue is also surfacing in Fedoras use of config files. Fedora added access to attribute configfile in "files_read_etc_files()". This interface is only for generic files in etc (etc_t) and not for all files in etc regardless of their type or any other types with the configfile attribute. Instead we have file_read_config for that. Common users should be as close as possible to regular linux users. Thus in that regard they should be able to read all config files. But xguest, which is a restricted user should not have all those permissions. Instead restricted users should only get the access they really need. So by letting xguest call files_read_etc_files one essentially allows it to read any config file if you add access to the configfile attribute in files_read_etc_file. Instead xguest only needs to read xdm_etc_t and gconfd_etc_t (and maybe some generic files in etc) What i am getting at here is the differentiation between restricted vs. common and generic versus all. We can i hope agree that common users should be as close as general (not mac) linux users. We can i hope agree that restricted users should be restricted as much as possible. So: common users can read all config files (files_read_config) restricted user can only read generic config files (files_read_etc_files) and non generic files in etc that it strictly needs to be able to work (read gconfd_etc_t and xdm_etc_t) Same for user home/tmp/tmpfs types. common users can manage and relabel all user content restricted (login) users can only manage and relabel generic user content and non generic user content that it strictly needs to be able to work (example for xguest: mozilla_home_t, mozilla_tmp_t, mozilla_tmpfs_t) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100712/74c76455/attachment.bin