From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 29 Apr 2017 20:23:16 +0200 Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions In-Reply-To: <9b04041d-98cd-99a3-7548-b204823c027b@ieee.org> References: <1493336733.4422.1.camel@trentalancia.net> <9b04041d-98cd-99a3-7548-b204823c027b@ieee.org> Message-ID: <1493490196.7586.17.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On Sat, 29/04/2017 at 11.31 -0400, Chris PeBenito wrote: > On 04/27/2017 07:45 PM, Guido Trentalancia via refpolicy wrote: > > Improve the locallogin module by curbing on dac_override > > permissions > > in the sulogin domain (read/search permissions only). > > > > Thanks to Dominick Grift for suggesting this. > > > > Other modules are likely affected by the same issue. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/system/locallogin.te |????3 ++- > > ?1 file changed, 2 insertions(+), 1 deletion(-) > > > > --- a/policy/modules/system/locallogin.te 2017-04-26 > > 17:47:14.080423048 +0200 > > +++ b/policy/modules/system/locallogin.te 2017-04-28 > > 01:33:10.287540604 +0200 > > @@ -216,7 +216,8 @@ optional_policy(` > > ?# Sulogin local policy > > ?# > > > > -allow sulogin_t self:capability { dac_override sys_admin > > sys_tty_config }; > > +dontaudit sulogin_t self:capability dac_override; > > +allow sulogin_t self:capability { dac_read_search sys_admin > > sys_tty_config }; > > ?allow sulogin_t self:process setexec; > > ?allow sulogin_t self:fd use; > > ?allow sulogin_t self:fifo_file rw_fifo_file_perms; > > Merged.??Unfortunately, since the dac_read_search was checked after? > dac_override for so long, this issue is possibly very prevalent in > the? > policy. We'll fix that with time. It shouldn't be given the highest priority, in my opinion. What I think should be given the highest priority is testing the whole policy without the unconfined module. After that, the second highest priority should be given, in my opinion, to the user data confidentiality patch. Then, we can tackle this dac_override/dac_read_search issue throughout the rest of the policy. I'll do my best in the future to keep in mind about this and eventually provide improved policy. Regards, Guido