From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 06 Sep 2012 08:54:11 -0400 Subject: [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) In-Reply-To: <5048858C.70700@trentalancia.com> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-2-git-send-email-bigon@debian.org> <5046927D.8010809@trentalancia.com> <1346828428.15262.53.camel@d30.localdomain> <50471050.5060502@trentalancia.com> <50475283.7080202@redhat.com> <5048858C.70700@trentalancia.com> Message-ID: <50489CF3.10308@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/06/2012 07:14 AM, Guido Trentalancia wrote: > Hello Daniel. > > Following your reflections, I have checked the current situation and I > share the concerns, so I have created a patch which disables most tunable > policy booleans (except network and the mcelog module as it deals amongst > other things with CPU thermal events which can be related to hardware > failures). > > On 05/09/2012 15:24, Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 09/05/2012 04:41 AM, Guido Trentalancia wrote: >>> On 05/09/2012 09:00, Dominick Grift wrote: >>>> >>>> >>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote: >>>>> On 04/09/2012 23:21, Laurent Bigonville wrote: >>>>>> From: Mika Pfl?ger >>>>>> >>>>>> Add a new boolean to grant users access to dosfs_t. --- >>>>>> policy/global_tunables | 7 +++++++ >>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files >>>>>> changed, 13 insertions(+) >>>>>> >>>>>> diff --git a/policy/global_tunables b/policy/global_tunables >>>>>> index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ >>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ >>>>>> gen_tunable(use_samba_home_dirs,false) ##

## >>>>>> gen_tunable(user_tcp_server,false) + +## +##

+## >>>>>> Allow users to manage files on dosfs_t devices, usually removable >>>>>> media +##

+## >>>>>> +gen_tunable(user_manage_dos_files,true) >>>>> >>>>> In my opinion is good to have this as on option, but in a secure >>>>> environment the default should be false for removable media. >>>> >>>> i would prefer the boolean to be fprefix userdom or userdomain >>>> instead of user, because that it the module that declares this >>>> boolean. >>>> >>>> Since the user is also allowed to manage dos dirs i would probably >>>> call it: userdomain_manage_dos_content >>>> >>>> as description i would use: >>>> >>>> "Determine whether users can manage dosfs content." >>> >>> I agree. And, in particular it's not "dos files" which can be >>> confusing, but dos filesystems which is already perfectioned in >>> Dominick's amendments. >>> >>>>>> diff --git a/policy/modules/system/userdomain.if >>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 >>>>>> 100644 --- a/policy/modules/system/userdomain.if +++ >>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ >>>>>> template(`userdom_base_user_template',` # Allow making the stack >>>>>> executable via mprotect. allow $1_t self:process execstack; ') + >>>>>> + tunable_policy(`user_manage_dos_files',` + >>>>>> fs_manage_dos_dirs($1_t) + fs_manage_dos_files($1_t) + >>>>>> ') + ') >>>>>> >>>>>> ####################################### >>> >>> _______________________________________________ refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> I think all booleans should be off by default and then the distributions >> can decide which booleans to turn on using the booleans.conf file. This >> would allow us one file to look at to see what is enabled. > > Turn off all/most tunable policy booleans by default in Reference Policy > (except network). > > They can be enabled on a per-distribution basis and many of those that were > enabled were somehow risky as defaults. > > Signed-off-by: Guido Trentalancia --- > > diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te > --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te > Thu Sep 6 10:56:21 2012 @@ -30,7 +30,7 @@ > gen_tunable(mcelog_exec_scripts, true) ## print out usage and version > information. ##

## -gen_tunable(mcelog_foreground, true) > +gen_tunable(mcelog_foreground, false) > > ## ##

@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ## > syslog option. ##

## -gen_tunable(mcelog_syslog, true) > +gen_tunable(mcelog_syslog, false) > > type mcelog_t; type mcelog_exec_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/qemu.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te --- > refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te > Thu Sep 6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, > false) ## Allow qemu to use cifs/Samba file systems ##

## > -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false) > > ## ##

@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ## > Allow qemu to use nfs file systems ##

## > -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false) > > ## ##

## Allow qemu to use usb devices ##

## > -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false) > > type qemu_exec_t; virt_domain_template(qemu) diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/rpc.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te --- > refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu > Sep 6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow > gssd to read temp directory. For access to kerberos tgt. ##

## > -gen_tunable(allow_gssd_read_tmp, true) > +gen_tunable(allow_gssd_read_tmp, false) > > ## ##

diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te > > - --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te > > Thu Sep 6 10:54:20 2012 > @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd > to read/write user home directories. ##

## > -gen_tunable(spamd_enable_home_dirs, true) > +gen_tunable(spamd_enable_home_dirs, false) > > type spamassassin_t; type spamassassin_exec_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/virt.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te --- > refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te > Thu Sep 6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, > false) ## Allow virt to use usb devices ##

## > -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false) > > virt_domain_template(svirt) role system_r types svirt_t; diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/xen.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te --- > refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug 23 > 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu > Sep 6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not > required if using dedicated logical volumes for disk images. ##

## > -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap, > false) > > ## ##

@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ## > Not required if using paravirt and no vfb. ##

## > -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false) > > ## ##

diff -pru > refpolicy-09062012-git-master/policy/modules/contrib/xguest.te > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te > --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu > Aug 23 19:23:00 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te > Thu Sep 6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) > ## Allow xguest users to mount removable media ##

## > -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media, > false) > > ## ##

## Allow xguest to configure Network Manager ##

## > -gen_tunable(xguest_connect_network, true) > +gen_tunable(xguest_connect_network, false) > > ## ##

## Allow xguest to use blue tooth devices ##

## > -gen_tunable(xguest_use_bluetooth, true) > +gen_tunable(xguest_use_bluetooth, false) > > role xguest_r; > > diff -pru > refpolicy-09062012-git-master/policy/modules/services/postgresql.te > refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te > > - --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep > 6 10:50:18 2012 +++ > refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te > > Thu Sep 6 10:51:57 2012 > @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL > statement ##

## -gen_tunable(sepgsql_enable_users_ddl, true) > +gen_tunable(sepgsql_enable_users_ddl, false) > > ## ##

@@ -37,7 +37,7 @@ > gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to > execute DML statement ##

## > -gen_tunable(sepgsql_unconfined_dbadm, true) > +gen_tunable(sepgsql_unconfined_dbadm, false) > > type postgresql_t; type postgresql_exec_t; > That looks good to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBInPMACgkQrlYvE4MpobMJrQCfY6dUKRIs/7FCJSwAuDweNkU1 9koAn25rZqW1R1Km6q9+ygRZW7Y76TvU =lxXC -----END PGP SIGNATURE-----