From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 25 Jan 2011 01:03:42 +0100 Subject: [refpolicy] [PATCH/RFC 8/19]: patch set to update the git reference policy In-Reply-To: <4D3D8703.8040308@gmail.com> References: <1295829851.3862.67.camel@tesla.lan> <4D3D8703.8040308@gmail.com> Message-ID: <1295913822.1665.28.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Dominick ! Just a quick comment on the default_t label/permissions, as I still need to check the rest of this [8/19] comment... On Mon, 24/01/2011 at 15.04 +0100, Dominick Grift wrote: > On 01/24/2011 01:44 AM, Guido Trentalancia wrote: > > --- refpolicy-git-18012011-dbus-messaging/policy/modules/services/dbus.te 2011-01-23 23:13:48.168284256 +0100 > > +++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 23:11:46.430346876 +0100 > > @@ -52,7 +52,7 @@ ifdef(`enable_mls',` > > > > # dac_override: /var/run/dbus is owned by messagebus on Debian > > # cjp: dac_override should probably go in a distro_debian > > -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; > > +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace }; > > dontaudit system_dbusd_t self:capability sys_tty_config; > > allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; > > allow system_dbusd_t self:fifo_file rw_fifo_file_perms; > > @@ -111,13 +111,20 @@ auth_read_pam_console_data(system_dbusd_ > > corecmd_list_bin(system_dbusd_t) > > corecmd_read_bin_pipes(system_dbusd_t) > > corecmd_read_bin_sockets(system_dbusd_t) > > +# needed for system-tools-backends > > +corecmd_exec_shell(system_dbusd_t) > > > > domain_use_interactive_fds(system_dbusd_t) > > domain_read_all_domains_state(system_dbusd_t) > > > > +files_search_default(system_dbusd_t) > > There should not be able default_t type directories. Thus this shouldnt > be allowed > > > +files_read_default_files(system_dbusd_t) > > there should not be any default_t type files. Thus this shouldnt be allowed The point here is that with the reference policy root's home directory doesn't get its own label but rather fall back to default_t. This is why I had created those permissions, although I wasn't completely sure about it because of course it doesn't appear anywhere else. On Fedora, it's different as they have patched that as follows (taken from F14 patch in this example): diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.9.7/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-10-12 22:42:50.000000000 +0200 +++ serefpolicy-3.9.7/policy/modules/system/userdomain.fc 2010-11-05 14:02:26.959899962 +0100 @@ -1,4 +1,17 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) +HOME_DIR -l gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) - /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +/root/\.debug(/.*)? <> +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/local/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.gvfs(/.*)? <> +HOME_DIR/\.debug(/.*)? <> On Debian, it's also being labelled user_home_t. But when I have installed the plain reference policy, it didn't label any home directory at all: the type *_home_t does not appear at all in the "standard" file contexts. So I thought that was the intended behaviour for the reference policy. I had just followed the INSTALL document... What do you say ? Regards, Guido