From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 08 Oct 2010 09:51:37 -0400 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <20101008134338.GC6366@localhost.localdomain> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> <20101008130744.GC15409@localhost.localdomain> <4CAF187B.808@tresys.com> <4CAF1915.1030901@tresys.com> <20101008133141.GB6366@localhost.localdomain> <4CAF1F8A.5070004@redhat.com> <20101008134338.GC6366@localhost.localdomain> Message-ID: <4CAF21E9.4090501@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/08/2010 09:43 AM, Dominick Grift wrote: > On Fri, Oct 08, 2010 at 09:41:30AM -0400, Daniel J Walsh wrote: > On 10/08/2010 09:31 AM, Dominick Grift wrote: >>>> On Fri, Oct 08, 2010 at 09:13:57AM -0400, Christopher J. PeBenito wrote: >>>>> On 10/08/10 09:11, Christopher J. PeBenito wrote: >>>>>> On 10/08/10 09:07, Dominick Grift wrote: >>>>>>> On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: >>>>>>>> On 10/08/10 09:01, Dominick Grift wrote: >>>>>>>>> On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito >>>>>>>>> wrote: >>>>>>>>>> On 10/04/10 14:23, Dominick Grift wrote: >>>>>>>>>>> diff --git a/policy/modules/admin/sudo.if >>>>>>>>>>> b/policy/modules/admin/sudo.if >>>>>>>>>>> index ca36b15..da2afce 100644 >>>>>>>>>>> --- a/policy/modules/admin/sudo.if >>>>>>>>>>> +++ b/policy/modules/admin/sudo.if >>>>>>>>>>> @@ -101,6 +101,7 @@ template(`sudo_role_template',` >>>>>>>>>>> files_read_usr_symlinks($1_sudo_t) >>>>>>>>>>> files_getattr_usr_files($1_sudo_t) >>>>>>>>>>> # for some PAM modules and for cwd >>>>>>>>>>> + files_dontaudit_list_default($1_sudo_t) >>>>>>>>>>> files_dontaudit_search_home($1_sudo_t) >>>>>>>>>>> files_list_tmp($1_sudo_t) >>>>>>>>>> >>>>>>>>>> I'm confused, /root shouldn't be default_t. >>>>>>>>> >>>>>>>>> Why not, what do you think it should be? >>>>>>>> >>>>>>>> There shouldn't be any default_t files if it can be helped. I would >>>>>>>> expect user_home_dir_t or admin_home_dir_t if you're on Fedora. >>>>>>> >>>>>>> This patch set is to make "refpolicy" work on minimal fedora >>>>>>> installations. Its not so much about trying to merge every fedora >>>>>>> change to refpolicy. >>>>>>> >>>>>>> However if you are interested in implementing Fedora's admin_home_t i >>>>>>> guess i could try that instead. That would mean that for now you can >>>>>>> disregard all " default" patches. >>>>>>> >>>>>>> I just was of the opinion that refpolicy is not interested in >>>>>>> implementing fedoras admin_home_t solution, and rather stick to >>>>>>> default_t for /root >>>>>> >>>>>> No, /root should definitely not be default_t. If thats what you're >>>>>> getting out of refpolicy head, we need to figure out why. >>>>> >>>>> To clarify, I would expect it to be user_home_dir_t in refpolicy. >>>> >>>> Any particular reason to not implement Fedoras admin_home_t solution instead? >>>>> >>>>> >>>>> -- >>>>> Chris PeBenito >>>>> Tresys Technology, LLC >>>>> www.tresys.com | oss.tresys.com >>>>> >>>>> >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy > > Top Reasons I like labelling /root differently then /home/dwalsh > > 1. Admins enter the /root directory every time they run su - or sudo. > And execute .bash type scripts. > 2. If said admins execute /etc/init.d/BLAH script I get avc saying BLAH > tried to read user_home_dir_t, I can add rule saying dontaudit daemon > admin_home_t:dir search_dir_perms; > 3. When someone tries to login via Xwindows as Root, they get denied, > by SELinux. We do not want X Window sessions running as root and > unconfined_t. > 4. Over 70 domains in Fedora 15 need to write to user_home_dir_t > depending on boolean settings, I do not want them writing to /root > 5. I can turn off genhomedircon, since I have a label for /root as > admin_home_t. > 6. I want to have confined administrators tread the directories > differently. > 7. Confined apps started in /root need to be treated differently. > 8. Setroubleshoot plugins can treat access differently. > >> dwalsh will it not cause any file context specification conflicts on fedora systems/policy if i set usepasswd=false with admin_home_t vs. user_home_dir_t? > >> >> _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy Yes it could be a problem, because I believe the fedora genhomedircon is ignoring /root in /etc/passwd. So removing this with the Fedora libsemanage will not help you. (Or I guess you could try.) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyvIekACgkQrlYvE4MpobN7HACfQbZFomfJbwTM5l8vqlEBDRMo LGQAoNDuMOX+z74Db/Hwf+dSOGTkuRL/ =er/k -----END PGP SIGNATURE-----