From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 29 Apr 2017 11:31:41 -0400 Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions In-Reply-To: <1493336733.4422.1.camel@trentalancia.net> References: <1493336733.4422.1.camel@trentalancia.net> Message-ID: <9b04041d-98cd-99a3-7548-b204823c027b@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote: > Improve the locallogin module by curbing on dac_override permissions > in the sulogin domain (read/search permissions only). > > Thanks to Dominick Grift for suggesting this. > > Other modules are likely affected by the same issue. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/locallogin.te | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > --- a/policy/modules/system/locallogin.te 2017-04-26 17:47:14.080423048 +0200 > +++ b/policy/modules/system/locallogin.te 2017-04-28 01:33:10.287540604 +0200 > @@ -216,7 +216,8 @@ optional_policy(` > # Sulogin local policy > # > > -allow sulogin_t self:capability { dac_override sys_admin sys_tty_config }; > +dontaudit sulogin_t self:capability dac_override; > +allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config }; > allow sulogin_t self:process setexec; > allow sulogin_t self:fd use; > allow sulogin_t self:fifo_file rw_fifo_file_perms; Merged. Unfortunately, since the dac_read_search was checked after dac_override for so long, this issue is possibly very prevalent in the policy. -- Chris PeBenito