From: domg472@gmail.com (Dominick Grift) Date: Fri, 8 Oct 2010 15:43:39 +0200 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <4CAF1F8A.5070004@redhat.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> <20101008130744.GC15409@localhost.localdomain> <4CAF187B.808@tresys.com> <4CAF1915.1030901@tresys.com> <20101008133141.GB6366@localhost.localdomain> <4CAF1F8A.5070004@redhat.com> Message-ID: <20101008134338.GC6366@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 08, 2010 at 09:41:30AM -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/08/2010 09:31 AM, Dominick Grift wrote: > > On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote: > >> On 10/08/10 09:11, Christopher J. PeBenito wrote: > >>> On 10/08/10 09:07, Dominick Grift wrote: > >>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: > >>>>> On 10/08/10 09:01, Dominick Grift wrote: > >>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito > >>>>>> wrote: > >>>>>>> On 10/04/10 14:23, Dominick Grift wrote: > >>>>>>>> diff --git a/policy/modules/admin/sudo.if > >>>>>>>> b/policy/modules/admin/sudo.if > >>>>>>>> index ca36b15..da2afce 100644 > >>>>>>>> --- a/policy/modules/admin/sudo.if > >>>>>>>> +++ b/policy/modules/admin/sudo.if > >>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',` > >>>>>>>> files_read_usr_symlinks($1_sudo_t) > >>>>>>>> files_getattr_usr_files($1_sudo_t) > >>>>>>>> # for some PAM modules and for cwd > >>>>>>>> + files_dontaudit_list_default($1_sudo_t) > >>>>>>>> files_dontaudit_search_home($1_sudo_t) > >>>>>>>> files_list_tmp($1_sudo_t) > >>>>>>> > >>>>>>> I'm confused, /root shouldn't be default_t. > >>>>>> > >>>>>> Why not, what do you think it should be? > >>>>> > >>>>> There shouldn't be any default_t files if it can be helped. I would > >>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora. > >>>> > >>>> This patch set is to make "refpolicy" work on minimal fedora > >>>> installations. Its not so much about trying to merge every fedora > >>>> change to refpolicy. > >>>> > >>>> However if you are interested in implementing Fedora's admin_home_t i > >>>> guess i could try that instead. That would mean that for now you can > >>>> disregard all " default" patches. > >>>> > >>>> I just was of the opinion that refpolicy is not interested in > >>>> implementing fedoras admin_home_t solution, and rather stick to > >>>> default_t for /root > >>> > >>> No, /root should definitely not be default_t. If thats what you're > >>> getting out of refpolicy head, we need to figure out why. > >> > >> To clarify, I would expect it to be user_home_dir_t in refpolicy. > > > > Any particular reason to not implement Fedoras admin_home_t solution instead? > >> > >> > >> -- > >> Chris PeBenito > >> Tresys Technology, LLC > >> www.tresys.com | oss.tresys.com > >> > >> > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > Top Reasons I like labelling /root differently then /home/dwalsh > > 1. Admins enter the /root directory every time they run su - or sudo. > And execute .bash type scripts. > 2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH > tried to read user_home_dir_t, I can add rule saying dontaudit daemon > admin_home_t:dir search_dir_perms; > 3. When someone tries to login via Xwindows as Root, they get denied, > by SELinux. We do not want X Window sessions running as root and > unconfined_t. > 4. Over 70 domains in Fedora 15 need to write to user_home_dir_t > depending on boolean settings, I do not want them writing to /root > 5. I can turn off genhomedircon, since I have a label for /root as > admin_home_t. > 6. I want to have confined administrators tread the directories > differently. > 7. Confined apps started in /root need to be treated differently. > 8. Setroubleshoot plugins can treat access differently. dwalsh will it not cause any file context specification conflicts on fedora systems/policy if i set usepasswd=false with admin_home_t vs. user_home_dir_t? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkyvH4oACgkQrlYvE4MpobP03QCgkqc9QhO8dd++6+wA45pqGMw/ > 3lYAnjKASWpaZyC3afxMLiWnDhdpwnkJ > =0O7C > -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/a9c30bca/attachment.bin