From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 29 Apr 2017 11:31:41 -0400
Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override
 permissions
In-Reply-To: <1493336733.4422.1.camel@trentalancia.net>
References: <1493336733.4422.1.camel@trentalancia.net>
Message-ID: <9b04041d-98cd-99a3-7548-b204823c027b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote:
> Improve the locallogin module by curbing on dac_override permissions
> in the sulogin domain (read/search permissions only).
>
> Thanks to Dominick Grift for suggesting this.
>
> Other modules are likely affected by the same issue.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/locallogin.te |    3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/system/locallogin.te	2017-04-26 17:47:14.080423048 +0200
> +++ b/policy/modules/system/locallogin.te	2017-04-28 01:33:10.287540604 +0200
> @@ -216,7 +216,8 @@ optional_policy(`
>  # Sulogin local policy
>  #
>
> -allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
> +dontaudit sulogin_t self:capability dac_override;
> +allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
>  allow sulogin_t self:process setexec;
>  allow sulogin_t self:fd use;
>  allow sulogin_t self:fifo_file rw_fifo_file_perms;

Merged.  Unfortunately, since the dac_read_search was checked after 
dac_override for so long, this issue is possibly very prevalent in the 
policy.

-- 
Chris PeBenito