From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 08 Oct 2010 09:41:30 -0400 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <20101008133141.GB6366@localhost.localdomain> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> <20101008130744.GC15409@localhost.localdomain> <4CAF187B.808@tresys.com> <4CAF1915.1030901@tresys.com> <20101008133141.GB6366@localhost.localdomain> Message-ID: <4CAF1F8A.5070004@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/08/2010 09:31 AM, Dominick Grift wrote: > On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote: >> On 10/08/10 09:11, Christopher J. PeBenito wrote: >>> On 10/08/10 09:07, Dominick Grift wrote: >>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: >>>>> On 10/08/10 09:01, Dominick Grift wrote: >>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito >>>>>> wrote: >>>>>>> On 10/04/10 14:23, Dominick Grift wrote: >>>>>>>> diff --git a/policy/modules/admin/sudo.if >>>>>>>> b/policy/modules/admin/sudo.if >>>>>>>> index ca36b15..da2afce 100644 >>>>>>>> --- a/policy/modules/admin/sudo.if >>>>>>>> +++ b/policy/modules/admin/sudo.if >>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',` >>>>>>>> files_read_usr_symlinks($1_sudo_t) >>>>>>>> files_getattr_usr_files($1_sudo_t) >>>>>>>> # for some PAM modules and for cwd >>>>>>>> + files_dontaudit_list_default($1_sudo_t) >>>>>>>> files_dontaudit_search_home($1_sudo_t) >>>>>>>> files_list_tmp($1_sudo_t) >>>>>>> >>>>>>> I'm confused, /root shouldn't be default_t. >>>>>> >>>>>> Why not, what do you think it should be? >>>>> >>>>> There shouldn't be any default_t files if it can be helped. I would >>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora. >>>> >>>> This patch set is to make "refpolicy" work on minimal fedora >>>> installations. Its not so much about trying to merge every fedora >>>> change to refpolicy. >>>> >>>> However if you are interested in implementing Fedora's admin_home_t i >>>> guess i could try that instead. That would mean that for now you can >>>> disregard all " default" patches. >>>> >>>> I just was of the opinion that refpolicy is not interested in >>>> implementing fedoras admin_home_t solution, and rather stick to >>>> default_t for /root >>> >>> No, /root should definitely not be default_t. If thats what you're >>> getting out of refpolicy head, we need to figure out why. >> >> To clarify, I would expect it to be user_home_dir_t in refpolicy. > > Any particular reason to not implement Fedoras admin_home_t solution instead? >> >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy Top Reasons I like labelling /root differently then /home/dwalsh 1. Admins enter the /root directory every time they run su - or sudo. And execute .bash type scripts. 2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH tried to read user_home_dir_t, I can add rule saying dontaudit daemon admin_home_t:dir search_dir_perms; 3. When someone tries to login via Xwindows as Root, they get denied, by SELinux. We do not want X Window sessions running as root and unconfined_t. 4. Over 70 domains in Fedora 15 need to write to user_home_dir_t depending on boolean settings, I do not want them writing to /root 5. I can turn off genhomedircon, since I have a label for /root as admin_home_t. 6. I want to have confined administrators tread the directories differently. 7. Confined apps started in /root need to be treated differently. 8. Setroubleshoot plugins can treat access differently. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyvH4oACgkQrlYvE4MpobP03QCgkqc9QhO8dd++6+wA45pqGMw/ 3lYAnjKASWpaZyC3afxMLiWnDhdpwnkJ =0O7C -----END PGP SIGNATURE-----