From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 7 May 2017 10:29:57 +0200
Subject: [refpolicy] [PATCH 0/33] description
In-Reply-To: <9A0DFADE-16B3-4900-8BF6-620FEE8BE0AF@trentalancia.net>
References: <1492649990.14733.70.camel@trentalancia.net>
	<808781969.181179.1492690424033@pim.register.it>
	<20170420141003.GB11432@meriadoc.perfinion.com>
	<960668182.196968.1492697823367@pim.register.it>
	<bb455298-a791-b184-fd4c-1302103bde54@ieee.org>
	<342768044.208111.1492728614697@pim.register.it>
	<CAPzO=NwiULDK+OE3x7oae3jd0q4nzUHEG0S1290_Wqo5fR4bdg@mail.gmail.com>
	<014CCF29-92AC-489E-8248-B681BFF663DA@trentalancia.net>
	<8bc4f938-ee7d-76e1-cfe0-482674460e2e@ieee.org>
	<CAPzO=NxbASMivvrfmaeyWhzwy2ZoQT9ZaBTk6HbOqwvEEjZHiw@mail.gmail.com>
	<10734812-f327-89ed-5e7e-327eaea7b8c5@ieee.org>
	<9A0DFADE-16B3-4900-8BF6-620FEE8BE0AF@trentalancia.net>
Message-ID: <CAPzO=NwPLYcA-j6AOaUxUsowPv8jDFj9h2TYF=kqHTd4Zj1cbw@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, May 6, 2017 at 7:00 PM, Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com> wrote:
> Conceptually the patch that I submitted can be synthesised as follows:
>
> - never allow any domain to read or write user home directories' content unless a specific "enable_homedir" boolean is set to true (default value is false, for all daemons and applications);

In our setup, we use four booleans:

*_read_generic_user_content (read rights on user_home_t)
*_manage_generic_user_content (manage rights on user_home_t)
*_read_all_user_content (read rights on not only user_home_t but on
all content types that a regular user domain has access to, handled
through the user_home_content_type attribute)
*_manage_all_user_content (manage rights on all content types that a
regular user domain has access to)

We even try to automatically set those on each domain, but we needed
to hack it a bit for the boolean documentation: we use a template to
automatically generate the booleans and its underlying code, but the
order in which things are done makes it that the in-line documentation
for those booleans (you know, the <desc><p>...</p></desc> stuff) isn't
taken up. We haven't put more effort in changing this order (also to
ensure compatibility) so we just add the missing documentation into
its own gentoo_tunables.xml file in the doc/ subfolder.

Automatically creating the booleans and the various tunable_policy()
statements makes it very easy to include it, which is something I
favor. Perhaps the documentation generation can be automated as well.
I don't like having to include the same set of rules in every user
domain that wants to access user content (or even daemons). By using a
single template, it can be adapted as the user privileges adapt with
new initiatives or innovations in the SELinux policy area.

> - always allow all domains that were previously allowed to read and/or write user home directories' content to read and/or write the "Download" subdirectory *only* (this is treated as a shared parking area);

We only do this for domains where the download directory is intuitive
(like browsers). For instance, image viewers we use the Pictures/
directory for (xdg_pictures_home_t) while media players are for the
Music (xdg_music_home_t) and Videos (xdg_videos_home_t) locations.

However, I'm personally less concerned about what default we should
pick in the reference policy itself, and leave that up to the
distributions (as you mentioned in the other post). Let's focus first
on the content before we make the final choices on the defaults.

Wkr,
  Sven