From: domg472@gmail.com (Dominick Grift) Date: Fri, 8 Oct 2010 15:31:42 +0200 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <4CAF1915.1030901@tresys.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> <20101008130744.GC15409@localhost.localdomain> <4CAF187B.808@tresys.com> <4CAF1915.1030901@tresys.com> Message-ID: <20101008133141.GB6366@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote: > On 10/08/10 09:11, Christopher J. PeBenito wrote: > >On 10/08/10 09:07, Dominick Grift wrote: > >>On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: > >>>On 10/08/10 09:01, Dominick Grift wrote: > >>>>On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito > >>>>wrote: > >>>>>On 10/04/10 14:23, Dominick Grift wrote: > >>>>>>diff --git a/policy/modules/admin/sudo.if > >>>>>>b/policy/modules/admin/sudo.if > >>>>>>index ca36b15..da2afce 100644 > >>>>>>--- a/policy/modules/admin/sudo.if > >>>>>>+++ b/policy/modules/admin/sudo.if > >>>>>>@@ -101,6 +101,7 @@ template(`sudo_role_template',` > >>>>>>files_read_usr_symlinks($1_sudo_t) > >>>>>>files_getattr_usr_files($1_sudo_t) > >>>>>># for some PAM modules and for cwd > >>>>>>+ files_dontaudit_list_default($1_sudo_t) > >>>>>>files_dontaudit_search_home($1_sudo_t) > >>>>>>files_list_tmp($1_sudo_t) > >>>>> > >>>>>I'm confused, /root shouldn't be default_t. > >>>> > >>>>Why not, what do you think it should be? > >>> > >>>There shouldn't be any default_t files if it can be helped. I would > >>>expect user_home_dir_t or admin_home_dir_t if you're on Fedora. > >> > >>This patch set is to make "refpolicy" work on minimal fedora > >>installations. Its not so much about trying to merge every fedora > >>change to refpolicy. > >> > >>However if you are interested in implementing Fedora's admin_home_t i > >>guess i could try that instead. That would mean that for now you can > >>disregard all " default" patches. > >> > >>I just was of the opinion that refpolicy is not interested in > >>implementing fedoras admin_home_t solution, and rather stick to > >>default_t for /root > > > >No, /root should definitely not be default_t. If thats what you're > >getting out of refpolicy head, we need to figure out why. > > To clarify, I would expect it to be user_home_dir_t in refpolicy. Any particular reason to not implement Fedoras admin_home_t solution instead? > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/53b9f3b9/attachment.bin