From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie2.ncsc.mil (zombie2.ncsc.mil [144.51.88.133]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id n1HLHK9G020081 for ; Tue, 17 Feb 2009 16:17:20 -0500 Received: from mx2.redhat.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie2.ncsc.mil (8.12.10/8.12.10) with ESMTP id n1HLDwc1005590 for ; Tue, 17 Feb 2009 21:13:58 GMT Message-ID: <499B2956.6090104@redhat.com> Date: Tue, 17 Feb 2009 16:17:10 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Joshua Brindle CC: SE Linux Subject: Re: Patch to libsemanage to remove labeling of /root References: <496C9A96.1080805@redhat.com> <499B1D53.4030602@manicmethod.com> <499B1EB7.40202@redhat.com> <499B1ECE.2040509@manicmethod.com> <499B2091.8000303@redhat.com> <499B20AA.8050902@manicmethod.com> In-Reply-To: <499B20AA.8050902@manicmethod.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Brindle wrote: > Daniel J Walsh wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Joshua Brindle wrote: >>> Daniel J Walsh wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Joshua Brindle wrote: >>>>> Daniel J Walsh wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> Policy should label /root with one label and this should not be >>>>>> effected >>>>>> by the passwd database. >>>>>> >>>>>> In Fedora policy we label this as admin_home_t. Having this label >>>>>> vary >>>>>> depending on policy ends up with lines like >>>>>> >>>>>> dontaudit * user_home_t:dir search_dir_perms >>>>>> dontaudit * admin_home_t:dir search_dir_perms >>>>>> dontaudit * sysadmin_home_t:dir search_dir_perms >>>>>> dontaudit * staff_home_t:dir search_dir_perms >>>>>> >>>>>> Labeling this directory as user_home_t, opens the system to possible >>>>>> security risks since some domains have to be able to write to >>>>>> user_home_t when they would never be allowed to write to >>>>>> admin_home_t. >>>>> The comment right above the added lines seems to indicate that was >>>>> suppose to be root before, why is / excluded? Are we going to start a >>>>> huge whitelist for genhomedircon? >>>>> >>>>> if (strcmp(pwent->pw_dir, "/") == 0) { >>>>> /* don't relabel / genhomdircon checked to see >>>>> if root >>>>> * was the user and if so, set his home >>>>> directory to >>>>> * /root */ >>>>> continue; >>>>> } >>>> No just /root >>>> >>>> /root should not be labeled based on genhomedircon. >>>> >>> Why are the exact same lines there for "/" then? >>> >>> >> Well I guess we do want to protect / and /root. >> >> Others should be fixed by looking at the parent, so if I added /var as a >> homedir it would blow up saying it conflicts with the previous >> definition of /var. >> > > I don't think I understand the problem we are trying to solve here... Right now we do not know what /root is going to be labeled. Sometime it is labeled admin_home_t sometimes sysadm_home_dir_t other times user_home_dir_t. I believe this is wrong. It is not a "USER" home dir, it is something far more special. Allowing it to be set by an application like genhomedircon, prevents us from knowing what the label should be. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmbKVYACgkQrlYvE4MpobN5JgCg0Vf6Qe67UhBSc9DSjAUOnfTq 3KYAn2BSJAPHrmHDuCTpTD3rV889mJea =uDb7 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.