From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 05 Sep 2012 17:04:14 +0200
Subject: [refpolicy] [PATCH 2/3] user access to DOS files
In-Reply-To: <50475283.7080202@redhat.com>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
	<1346793669-26282-2-git-send-email-bigon@debian.org>
	<5046927D.8010809@trentalancia.com>
	<1346828428.15262.53.camel@d30.localdomain>
	<50471050.5060502@trentalancia.com> <50475283.7080202@redhat.com>
Message-ID: <504769EE.1050103@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables              |    7 +++++++
>>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` +		fs_manage_dos_dirs($1_t)
>>>>> +		fs_manage_dos_files($1_t) +	') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file.  This would
> allow us one file to look at to see what is enabled.

Yes, exactly. At least until Reference Policy decides to ship a few 
official example booleans.conf configuration files in a separate 
directory, to resemble typical situations/environments such as the one 
already described as "personal", "home", "office" and so on.

Another possible point of failure with allowing by default filesystems 
for other OSes is given by the presence of multi-boot systems. On such 
systems, if one OS is compromised, it could in theory compromise the 
others too.

So, in theory (and in my opinion), it's not just a matter of preventing 
the mount of removable media, which as Russell Coker noted can be 
disabled elsewhere...

Regards,

Guido