From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 8 Nov 2011 08:22:26 -0500 Subject: [refpolicy] user access to DOS files In-Reply-To: <201111071408.00628.russell@coker.com.au> References: <201111071408.00628.russell@coker.com.au> Message-ID: <4EB92D12.9080008@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/06/11 22:08, Russell Coker wrote: > The attached patch adds a new boolean for granting users access to dosfs_t. > > Also in the same patch is a Debian specific patch to allow users to read > /var/lib/apt/lists. While it's generally best to split patches I think that > having an uncontroversial patch wrapped with distro_debian appended isn't a > big deal. If the dosfs_t patch is rejected I'll submit the Debian one > separately. These are in userdom_base_user_template(); that is too low level of a template for these rules. That template is supposed to be as close to the absolute minimum usable user as possible. userdom_unpriv_user_template() or userdom_common_user_template() would be better choices. > diff -ru ./policy/global_tunables /tmp/refpolicy/policy/global_tunables > --- ./policy/global_tunables 2011-02-19 11:44:29.585412285 +1100 > +++ /tmp/refpolicy/policy/global_tunables 2011-11-07 13:22:19.258199269 +1100 > @@ -111,3 +111,10 @@ > ##

> ## > gen_tunable(user_tcp_server,false) > + > +## > +##

> +## Allow users to manage files on dosfs_t devices, usually removable media > +##

> +## > +gen_tunable(user_manage_dos_files,true) > diff -ru ./policy/modules/system/userdomain.if /tmp/refpolicy/policy/modules/system/userdomain.if > --- ./policy/modules/system/userdomain.if 2011-10-29 21:44:32.502459650 +1100 > +++ /tmp/refpolicy/policy/modules/system/userdomain.if 2011-11-07 13:22:19.310197159 +1100 > @@ -117,6 +118,19 @@ > # Allow making the stack executable via mprotect. > allow $1_t self:process execstack; > ') > + > + tunable_policy(`user_manage_dos_files',` > + fs_manage_dos_dirs($1_t) > + fs_manage_dos_files($1_t) > + ') > + > + ifdef(`distro_debian', ` > + # allow reading /var/lib/apt/lists > + apt_read_db($1_t) > + # allow reading /var/cache/apt - should not be needed but > + # does not really matter > + apt_read_cache($1_t) > + ') > ') > > ####################################### -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com