From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 21 Feb 2011 10:40:10 -0500 Subject: [refpolicy] [patch 1/3] Implementation of system conf type In-Reply-To: <1298180267.3098.11.camel@tesla.lan> References: <4D5E95C1.9080805@redhat.com> <20110219095711.GA6270@siphos.be> <1298180267.3098.11.camel@tesla.lan> Message-ID: <4D62875A.8060006@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/20/2011 12:37 AM, Guido Trentalancia wrote: > On Sat, 19/02/2011 at 10.57 +0100, Sven Vermeulen wrote: >> On Fri, Feb 18, 2011 at 03:52:33PM +0000, Miroslav Grepl wrote: >>> http://mgrepl.fedorapeople.org/F15/system_conf_implemantion_p1.patch >>> >>> * Implementation of system conf type for manageable system >>> configuration files. >> >> Isn't a generic system configuration type a bit too broad for a security >> policy? We already have etc_t. > > I agree with Sven, it appears to be rather useless (at least for the use > that is being made so far in the patches that have been posted) and it > just introduces a redundancy of types. > > But Sven, I believe this is stuff just intended for Fedora 15. It won't > affect the rest of us. I don't even understand why it has been posted > with the [PATCH] tag in the subject on this mailing list. Some stuff > won't even build on refpolicy because there are missing bits (such as > missing interfaces that have never been defined in refpolicy and that > are only being used by Fedora as part of their customisations). > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy When you have a type a domain needs to write, you do not want that type to be etc_t. In this case several confined domains needs to be able to write firewall rules, I believe. If we give tools like system-config-firewall the ability to write etc_t, it can replace /etc/passwd and other key config files. So an exploit can be used to take over the entire machine, if we add a new type, then system-config-firewall will only be allowed to write firewall rules and not most files within the /etc tree. We have lots of examples of this, for example net_conf_t for /etc/resolv.conf. As configuration tools move to a dbus/policykit config, you will see more "config" files gather labels. As we try to add domains for confined administrator, you will also see types added. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1ih1kACgkQrlYvE4MpobOQtwCgxIxBkC7WtMV/uzUDiVercj5A nAYAoKV6ywEHdiAwRPSheCN9nbOXmcuo =mGAX -----END PGP SIGNATURE-----