From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 08 Oct 2010 09:19:04 -0400 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <4CAF1915.1030901@tresys.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> <20101008130744.GC15409@localhost.localdomain> <4CAF187B.808@tresys.com> <4CAF1915.1030901@tresys.com> Message-ID: <4CAF1A48.1080804@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/08/2010 09:13 AM, Christopher J. PeBenito wrote: > On 10/08/10 09:11, Christopher J. PeBenito wrote: >> On 10/08/10 09:07, Dominick Grift wrote: >>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: >>>> On 10/08/10 09:01, Dominick Grift wrote: >>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito >>>>> wrote: >>>>>> On 10/04/10 14:23, Dominick Grift wrote: >>>>>>> diff --git a/policy/modules/admin/sudo.if >>>>>>> b/policy/modules/admin/sudo.if >>>>>>> index ca36b15..da2afce 100644 >>>>>>> --- a/policy/modules/admin/sudo.if >>>>>>> +++ b/policy/modules/admin/sudo.if >>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',` >>>>>>> files_read_usr_symlinks($1_sudo_t) >>>>>>> files_getattr_usr_files($1_sudo_t) >>>>>>> # for some PAM modules and for cwd >>>>>>> + files_dontaudit_list_default($1_sudo_t) >>>>>>> files_dontaudit_search_home($1_sudo_t) >>>>>>> files_list_tmp($1_sudo_t) >>>>>> >>>>>> I'm confused, /root shouldn't be default_t. >>>>> >>>>> Why not, what do you think it should be? >>>> >>>> There shouldn't be any default_t files if it can be helped. I would >>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora. >>> >>> This patch set is to make "refpolicy" work on minimal fedora >>> installations. Its not so much about trying to merge every fedora >>> change to refpolicy. >>> >>> However if you are interested in implementing Fedora's admin_home_t i >>> guess i could try that instead. That would mean that for now you can >>> disregard all " default" patches. >>> >>> I just was of the opinion that refpolicy is not interested in >>> implementing fedoras admin_home_t solution, and rather stick to >>> default_t for /root >> >> No, /root should definitely not be default_t. If thats what you're >> getting out of refpolicy head, we need to figure out why. > > To clarify, I would expect it to be user_home_dir_t in refpolicy. > > If you are using the latest Fedora libsemanage, it is running genhomedircon, so this might leave /root without a label. Edit /etc/selinux/semanage.conf And change # semanage fcontext -a -e /home /althome usepasswd=FALSE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyvGkgACgkQrlYvE4MpobOzHACfahQzaVd58ejJXbLR5087c7kF 6+gAn3WEnHukjC/7nDeUGi4dBPX+6ncS =GgzZ -----END PGP SIGNATURE-----