From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 25 Jul 2014 14:38:51 -0400
Subject: [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
In-Reply-To: <20140725123746.GA20016@pippin.perfinion.com>
References: <1406147491-24852-1-git-send-email-jason@perfinion.com>	<53D24B44.30909@tresys.com>
	<20140725123746.GA20016@pippin.perfinion.com>
Message-ID: <53D2A43B.5040306@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


On 07/25/2014 08:37 AM, Jason Zaman wrote:
> On Fri, Jul 25, 2014 at 08:19:16AM -0400, Christopher J. PeBenito wrote:
>> On 7/23/2014 4:31 PM, Jason Zaman wrote:
>>> gssd needs to be able to add entries to the kerberos credential
>>> cache. This adds a boolean to allow that.
>> [...]
>>> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>>>  	userdom_read_user_tmp_symlinks(gssd_t)
>>>  ')
>>>  
>>> +tunable_policy(`allow_gssd_write_tmp',`
>>> +	userdom_list_user_tmp(gssd_t)
>>> +	userdom_write_user_tmp_files(gssd_t)
>>> +')
>>> +
>> Are you sure that these credential caches can't have more specific
>> labels, e.g. by name filetrans?
> That was sort of the point of my original question, the file is
> /tmp/krb5cc_1000 ie depends on the uid. A named transition is not quite
> possible but having something like krb_user_tmp_t would work then gssd
> could get only access to that instead of every single user_tmp_t.
>
> I don't know enough about the details of kerberos but I think only the
> kernel and kinit/klist/etc need to be able to read the credential
> cache file so having it labelled as user_tmp_t is a bit strange.
>
> -- Jason
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
No the name is randomized not just krb_UID It needs to be randomized to
stop other users from attacking your system.
Just like any named content in /tmp.

If we had SimpleGlob support in the kernel then we could do a file name
transition on something like krb*

But that does not exist.