Suggested global change to policy

Suggested global change to policy

[Daniel J Walsh]

Remove all init programs calls to
sysadm_dontaudit_list_home_dirs and put that call in the

init_system_domain and init_daemon_domain

That way we can think about making role/sysadm a module.

Of course I believe the /root should have a special context of
admin_home_t and not be affected by whether or not you have sysadm
policy defined.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suggested global change to policy

[Christopher J. PeBenito]

On Wed, 2008-05-21 at 11:59 -0400, Daniel J Walsh wrote:
> Remove all init programs calls to
> sysadm_dontaudit_list_home_dirs and put that call in the
> 
> init_system_domain and init_daemon_domain

I might be able to buy that for the latter, but I don't see it for the
former.

> That way we can think about making role/sysadm a module.
> 
> Of course I believe the /root should have a special context of
> admin_home_t and not be affected by whether or not you have sysadm
> policy defined.

In the RBAC separation branch I was planning to have all the roles have
the same home directory type anyway (owned by the userdomain module).
If it ends up that we still need to have a type-based separation between
unpriv user and admin user home directories, then it will end up being
as you suggest above.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Suggested global change to policy

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Wed, 2008-05-21 at 11:59 -0400, Daniel J Walsh wrote:
>> Remove all init programs calls to
>> sysadm_dontaudit_list_home_dirs and put that call in the
>>
>> init_system_domain and init_daemon_domain
> 
Well the whole cause of this avc is apps doing a getcwd() call when they
start up.  Which seems to be build into glibc?  Or just executables in
Linux.  So any app that gets started by an administrator sitting in the
/root directory requires this dontaudit rule.  If you look though the
policy this rule is everywhere for both types of init domains.

> I might be able to buy that for the latter, but I don't see it for the
> former.
> 
>> That way we can think about making role/sysadm a module.
>>
>> Of course I believe the /root should have a special context of
>> admin_home_t and not be affected by whether or not you have sysadm
>> policy defined.
> 
> In the RBAC separation branch I was planning to have all the roles have
> the same home directory type anyway (owned by the userdomain module).
> If it ends up that we still need to have a type-based separation between
> unpriv user and admin user home directories, then it will end up being
> as you suggest above.
> 
As long as they are different.  Allowing any confined app to write to
/root should be heavily constrained while writing to random users home
directories is a lot more common.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.