From: russell@coker.com.au (Russell Coker) Date: Wed, 5 Sep 2012 10:32:31 +1000 Subject: [refpolicy] [PATCH 2/3] user access to DOS files In-Reply-To: <5046927D.8010809@trentalancia.com> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-2-git-send-email-bigon@debian.org> <5046927D.8010809@trentalancia.com> Message-ID: <201209051032.31825.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 5 Sep 2012, Guido Trentalancia wrote: > > +## > > +##

> > +## Allow users to manage files on dosfs_t devices, usually removable > > media +##

> > +##
> > +gen_tunable(user_manage_dos_files,true) > > In my opinion is good to have this as on option, but in a secure > environment the default should be false for removable media. It's one setsebool command to make it "secure" in that regard. I think that for most systems where you really don't want users reading files on FAT filesystems you won't have the ability to even mount them (remove USB ports etc). For the majority of servers there will be no physical access by untrusted users. For the majority of desktop systems such access will be desired and it's one more potential thing for less clueful people to cite as a reason for not using SE Linux if it doesn't work by default. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/