policy for k3b (and cdrecord)

policy for k3b (and cdrecord)

[Luke Kenneth Casson Leighton]

i'm writing a policy for k3b (kde cd burner) and cdrecord because
write access by users to /dev/hdc is banned (policy violation) and
because, well, because.

sadly, k3b uses find to search the ENTIRE drive e.g. /dev and /
and stuff and so i get a whole stack of search and read permissions
requested.

this i can put up with by banning with dontaudit: i can do this because
i actually don't _want_ users to burn CDs with k3b except from anything from
their home directory, and any excessive number of dontaudits i am
personally quite happy with.

(and for backup purposes they can have a nice shiny button on the
desktop, using a different program, which will get its own nice policy
file).

my question is, therefore:

- for more generic use, obviously k3b must be allowed to access pretty
  much anything on / so what should i put in place of all the
  dontaudits and allow k3b_t user_home_t etc. stuff?

ta,

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy for k3b (and cdrecord)

[Russell Coker]

On Wed, 18 Aug 2004 04:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> i'm writing a policy for k3b (kde cd burner) and cdrecord because
> write access by users to /dev/hdc is banned (policy violation) and
> because, well, because.

Why not change the type of /dev/hdc to removable_device_t and define 
user_rw_noexattrfile when compiling the policy?  That should be all that the 
CD burner needs.

If you have a special policy for burning CDs then that policy needs to be 
limited to only files that the user can access.

> - for more generic use, obviously k3b must be allowed to access pretty
>   much anything on / so what should i put in place of all the
>   dontaudits and allow k3b_t user_home_t etc. stuff?

If you have a domain k3b_t which is entered from any user domain then user_t 
can use it to write files from a staff_r home directory to a CD...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: policy for k3b (and cdrecord)

[Luke Kenneth Casson Leighton]

On Wed, Aug 18, 2004 at 08:54:46PM +1000, Russell Coker wrote:
> On Wed, 18 Aug 2004 04:33, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > i'm writing a policy for k3b (kde cd burner) and cdrecord because
> > write access by users to /dev/hdc is banned (policy violation) and
> > because, well, because.
> 
> Why not change the type of /dev/hdc to removable_device_t and define 
> user_rw_noexattrfile when compiling the policy?  That should be all that the 
> CD burner needs.

 drat.  thank you.

 now why didn't i think of changing the type of /dev/hdc?

 hey, well, i've done the policy now, i might as well use it.

 unless.... of course... DVD and CD _reading_ *sigh*.

 that's up the creek, too.

 which your suggestion would fix as well.

 thank you russell: advice really appreciated, you saved me a lot of
 time and hassle.



> If you have a special policy for burning CDs then that policy needs to be 
> limited to only files that the user can access.
> 
> > - for more generic use, obviously k3b must be allowed to access pretty
> >   much anything on / so what should i put in place of all the
> >   dontaudits and allow k3b_t user_home_t etc. stuff?
> 
> If you have a domain k3b_t which is entered from any user domain then user_t 
> can use it to write files from a staff_r home directory to a CD...
 
 i allowed a lot of getattrs for directory access (and then removed
 them / turned them into dontaudits) before i realised of course that
 k3b was directory-scanning with find.

 once i realised that, i began to be more selective: i don't believe i
 added permission to read or scan the contents of /root for example.

 so really i should do something similar to the mozilla thing, then.

 namely, macro-ise it, use x_client_domain, that sort of thing.

 
 [btw it turns out that k3b doesn't actually do any cd-burning itself:
  it's just a front-end to running cdrecord, cdrdao and dvd+rw-format.]

 l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.