[refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link
@ 2013-09-24 13:39 Dominick Grift
  2013-09-26 12:38 ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-24 13:39 UTC (permalink / raw)
  To: refpolicy

Do not audit attempts by fixfiles to read all symbolic links

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5622246..ff19d75 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
 files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
+files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link
  2013-09-24 13:39 [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link Dominick Grift
@ 2013-09-26 12:38 ` Christopher J. PeBenito
  2013-09-26 12:41   ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-09-26 12:38 UTC (permalink / raw)
  To: refpolicy

On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
> Do not audit attempts by fixfiles to read all symbolic links
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/system/selinuxutil.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 5622246..ff19d75 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
>  files_read_etc_files(setfiles_t)
>  files_list_all(setfiles_t)
>  files_relabel_all_files(setfiles_t)
> -files_read_usr_symlinks(setfiles_t)
> +files_dontaudit_read_all_symlinks(setfiles_t)
>
>  fs_getattr_xattr_fs(setfiles_t)
>  fs_list_all(setfiles_t)

Can you further clarify this?  Setfiles hasn't changed much in years, 
so I'm unclear on why this change is necessary.

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link
  2013-09-26 12:38 ` Christopher J. PeBenito
@ 2013-09-26 12:41   ` Dominick Grift
  2013-09-27 20:58     ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2013-09-26 12:41 UTC (permalink / raw)
  To: refpolicy

On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote:
> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
> > Do not audit attempts by fixfiles to read all symbolic links
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> >  policy/modules/system/selinuxutil.te | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> > index 5622246..ff19d75 100644
> > --- a/policy/modules/system/selinuxutil.te
> > +++ b/policy/modules/system/selinuxutil.te
> > @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
> >  files_read_etc_files(setfiles_t)
> >  files_list_all(setfiles_t)
> >  files_relabel_all_files(setfiles_t)
> > -files_read_usr_symlinks(setfiles_t)
> > +files_dontaudit_read_all_symlinks(setfiles_t)
> >
> >  fs_getattr_xattr_fs(setfiles_t)
> >  fs_list_all(setfiles_t)
> 
> Can you further clarify this?  Setfiles hasn't changed much in years, 
> so I'm unclear on why this change is necessary.

This is not so much related to setfiles

its related to recent changes of locations. for example /var/run
-> /run, /bin -> /usr/bin etc.

So now /var/run is a symlink to /run.

setfiles doesnt follow symlinks so we might as well silently deny access
to read all symlinks

> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link
  2013-09-26 12:41   ` Dominick Grift
@ 2013-09-27 20:58     ` Christopher J. PeBenito
  2013-09-27 21:03       ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2013-09-27 20:58 UTC (permalink / raw)
  To: refpolicy

On Thu 26 Sep 2013 08:41:44 AM EDT, Dominick Grift wrote:
> On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote:
>> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
>>> Do not audit attempts by fixfiles to read all symbolic links
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> ---
>>>  policy/modules/system/selinuxutil.te | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
>>> index 5622246..ff19d75 100644
>>> --- a/policy/modules/system/selinuxutil.te
>>> +++ b/policy/modules/system/selinuxutil.te
>>> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
>>>  files_read_etc_files(setfiles_t)
>>>  files_list_all(setfiles_t)
>>>  files_relabel_all_files(setfiles_t)
>>> -files_read_usr_symlinks(setfiles_t)
>>> +files_dontaudit_read_all_symlinks(setfiles_t)
>>>
>>>  fs_getattr_xattr_fs(setfiles_t)
>>>  fs_list_all(setfiles_t)
>>
>> Can you further clarify this?  Setfiles hasn't changed much in years,
>> so I'm unclear on why this change is necessary.
>
> This is not so much related to setfiles
>
> its related to recent changes of locations. for example /var/run
> -> /run, /bin -> /usr/bin etc.
>
> So now /var/run is a symlink to /run.
>
> setfiles doesnt follow symlinks so we might as well silently deny access
> to read all symlinks

I'm reluctant to remove the usr_t access, since it might be needed from 
one of the libs setfiles uses, rather than setfiles itself.

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link
  2013-09-27 20:58     ` Christopher J. PeBenito
@ 2013-09-27 21:03       ` Dominick Grift
  0 siblings, 0 replies; 5+ messages in thread
From: Dominick Grift @ 2013-09-27 21:03 UTC (permalink / raw)
  To: refpolicy

On Fri, 2013-09-27 at 16:58 -0400, Christopher J. PeBenito wrote:
> On Thu 26 Sep 2013 08:41:44 AM EDT, Dominick Grift wrote:
> > On Thu, 2013-09-26 at 08:38 -0400, Christopher J. PeBenito wrote:
> >> On Tue 24 Sep 2013 09:39:16 AM EDT, Dominick Grift wrote:
> >>> Do not audit attempts by fixfiles to read all symbolic links
> >>>
> >>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> >>> ---
> >>>  policy/modules/system/selinuxutil.te | 2 +-
> >>>  1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> >>> index 5622246..ff19d75 100644
> >>> --- a/policy/modules/system/selinuxutil.te
> >>> +++ b/policy/modules/system/selinuxutil.te
> >>> @@ -552,7 +552,7 @@ files_read_etc_runtime_files(setfiles_t)
> >>>  files_read_etc_files(setfiles_t)
> >>>  files_list_all(setfiles_t)
> >>>  files_relabel_all_files(setfiles_t)
> >>> -files_read_usr_symlinks(setfiles_t)
> >>> +files_dontaudit_read_all_symlinks(setfiles_t)
> >>>
> >>>  fs_getattr_xattr_fs(setfiles_t)
> >>>  fs_list_all(setfiles_t)
> >>
> >> Can you further clarify this?  Setfiles hasn't changed much in years,
> >> so I'm unclear on why this change is necessary.
> >
> > This is not so much related to setfiles
> >
> > its related to recent changes of locations. for example /var/run
> > -> /run, /bin -> /usr/bin etc.
> >
> > So now /var/run is a symlink to /run.
> >
> > setfiles doesnt follow symlinks so we might as well silently deny access
> > to read all symlinks
> 
> I'm reluctant to remove the usr_t access, since it might be needed from 
> one of the libs setfiles uses, rather than setfiles itself.

ok thats fine , then please just add the donaudit for the others

> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-09-27 21:03 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-24 13:39 [refpolicy] [PATCH 04/20] seutils: restorecon wants to read /run symbolic link Dominick Grift
2013-09-26 12:38 ` Christopher J. PeBenito
2013-09-26 12:41   ` Dominick Grift
2013-09-27 20:58     ` Christopher J. PeBenito
2013-09-27 21:03       ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.