From: Daniel J Walsh <dwalsh@redhat.com>
To: ivg2@cornell.edu
Cc: Stephen Smalley <sds@epoch.ncsc.mil>, selinux@tycho.nsa.gov
Subject: Re: File Browsing apps and getattr
Date: Wed, 02 Feb 2005 11:22:08 -0500 [thread overview]
Message-ID: <4200FE30.7040405@redhat.com> (raw)
In-Reply-To: <1107360093.14674.8.camel@cobra.ivg2.net>
Ivan Gyurdiev wrote:
>>Tightened up a little bit.
>>define(`file_browse_domain', `
>># Do not flood message log, if the user does a browse
>>dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
>>dontaudit $1 dev_fs:dir_file_class_set getattr;
>>dontaudit $1 file_type - secure_file_type:dir read;
>>')dnl end file_browse_domain
>>
>>
>
>I don't like how security types are being excluded as being special.
>I understand the concern, but that will cause audited denials for proper
>use of applications like ls.
>
>
>
Doing ls of Kerberos keyfiles, certs and shadow or any other security
file should probably be audited in
a strict policy, because the next thing would be an attempt at a read.
It might be usefull to know that the
latest mozilla plugin is poking around some more secure files.
Dontaudit would just cover this up.
>Stephen Smalley:
>"Yes, shadow_t would fall into that class. So at that point you might
>dontaudit attempts to getattr it from user domains, while leaving them
>audited for the daemon domains."
>
>I don't think daemon domains should be using this file_browse_domain
>in the first place - seems to me like it should be used only for user
>domains. For smbd, for example, something more specialized could be used
>like the patch I posted which is restricted to $1_file_type only
>(since we don't allow arbitrary samba shares through the filesystem
>anyway)
>
>Will user_t be using this macro?
>
>
Yes. There already was similar code in the base_user_macros.te file.
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-02-02 16:22 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-31 22:26 File Browsing apps and getattr Ivan Gyurdiev
2005-02-01 12:11 ` Stephen Smalley
2005-02-01 13:08 ` Ivan Gyurdiev
2005-02-01 13:11 ` Stephen Smalley
2005-02-01 13:26 ` Ivan Gyurdiev
2005-02-01 13:31 ` Stephen Smalley
2005-02-01 18:01 ` Daniel J Walsh
2005-02-01 18:42 ` Ivan Gyurdiev
2005-02-01 19:52 ` Stephen Smalley
2005-02-01 23:39 ` Ivan Gyurdiev
2005-02-02 12:03 ` Stephen Smalley
2005-02-02 13:19 ` Ivan Gyurdiev
2005-02-02 13:14 ` Stephen Smalley
2005-02-02 14:14 ` Ivan Gyurdiev
2005-02-02 14:07 ` Daniel J Walsh
2005-02-02 14:22 ` Stephen Smalley
2005-02-02 14:36 ` Daniel J Walsh
2005-02-02 16:01 ` Ivan Gyurdiev
2005-02-02 16:22 ` Daniel J Walsh [this message]
2005-02-02 16:41 ` Ivan Gyurdiev
2005-02-01 16:15 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4200FE30.7040405@redhat.com \
--to=dwalsh@redhat.com \
--cc=ivg2@cornell.edu \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.