From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 7 May 2017 10:29:57 +0200 Subject: [refpolicy] [PATCH 0/33] description In-Reply-To: <9A0DFADE-16B3-4900-8BF6-620FEE8BE0AF@trentalancia.net> References: <1492649990.14733.70.camel@trentalancia.net> <808781969.181179.1492690424033@pim.register.it> <20170420141003.GB11432@meriadoc.perfinion.com> <960668182.196968.1492697823367@pim.register.it> <342768044.208111.1492728614697@pim.register.it> <014CCF29-92AC-489E-8248-B681BFF663DA@trentalancia.net> <8bc4f938-ee7d-76e1-cfe0-482674460e2e@ieee.org> <10734812-f327-89ed-5e7e-327eaea7b8c5@ieee.org> <9A0DFADE-16B3-4900-8BF6-620FEE8BE0AF@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, May 6, 2017 at 7:00 PM, Guido Trentalancia via refpolicy wrote: > Conceptually the patch that I submitted can be synthesised as follows: > > - never allow any domain to read or write user home directories' content unless a specific "enable_homedir" boolean is set to true (default value is false, for all daemons and applications); In our setup, we use four booleans: *_read_generic_user_content (read rights on user_home_t) *_manage_generic_user_content (manage rights on user_home_t) *_read_all_user_content (read rights on not only user_home_t but on all content types that a regular user domain has access to, handled through the user_home_content_type attribute) *_manage_all_user_content (manage rights on all content types that a regular user domain has access to) We even try to automatically set those on each domain, but we needed to hack it a bit for the boolean documentation: we use a template to automatically generate the booleans and its underlying code, but the order in which things are done makes it that the in-line documentation for those booleans (you know, the

...

stuff) isn't taken up. We haven't put more effort in changing this order (also to ensure compatibility) so we just add the missing documentation into its own gentoo_tunables.xml file in the doc/ subfolder. Automatically creating the booleans and the various tunable_policy() statements makes it very easy to include it, which is something I favor. Perhaps the documentation generation can be automated as well. I don't like having to include the same set of rules in every user domain that wants to access user content (or even daemons). By using a single template, it can be adapted as the user privileges adapt with new initiatives or innovations in the SELinux policy area. > - always allow all domains that were previously allowed to read and/or write user home directories' content to read and/or write the "Download" subdirectory *only* (this is treated as a shared parking area); We only do this for domains where the download directory is intuitive (like browsers). For instance, image viewers we use the Pictures/ directory for (xdg_pictures_home_t) while media players are for the Music (xdg_music_home_t) and Videos (xdg_videos_home_t) locations. However, I'm personally less concerned about what default we should pick in the reference policy itself, and leave that up to the distributions (as you mentioned in the other post). Let's focus first on the content before we make the final choices on the defaults. Wkr, Sven