From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 18/34]: patch for the policykit module (labeling, start from dbus, read xdm files)
Date: Wed, 02 Mar 2011 08:51:38 -0500 [thread overview]
Message-ID: <4D6E4B6A.5090708@tresys.com> (raw)
In-Reply-To: <1299019647.14035.81.camel@tesla.lan>
On 03/01/11 17:47, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.12 -0500, Christopher J. PeBenito wrote:
>> On 02/28/11 14:07, Guido Trentalancia wrote:
>>> On Mon, 28/02/2011 at 08.56 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:22, Guido Trentalancia wrote:
>>>>> This patch adds a file context for the /var/lib/polkit-1 directory.
>>>>> It then allows policykit to be started from dbus. It also adds
>>>>> some other permissions needed to run policykit and a new interface
>>>>> which is used to read xdm files.
>>>>>
>>>>> diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc
>>>>> --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.fc 2011-01-08 19:07:21.280747356 +0100
>>>>> +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.fc 2011-02-07 03:31:53.547856778 +0100
>>>>> @@ -11,5 +11,6 @@
>>>>> /var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
>>>>> /var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
>>>>> /var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
>>>>> +/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
>>>>> /var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
>>>>>
>>>>> diff -pruN refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te
>>>>> --- refpolicy-git-02022011-test-apply2/policy/modules/services/policykit.te 2011-02-07 03:31:24.763790944 +0100
>>>>> +++ refpolicy-git-02022011-test-apply3/policy/modules/services/policykit.te 2011-02-07 03:31:53.550857306 +0100
>>>>> @@ -35,8 +35,8 @@ files_pid_file(policykit_var_run_t)
>>>>> # policykit local policy
>>>>> #
>>>>>
>>>>> -allow policykit_t self:capability { setgid setuid };
>>>>> -allow policykit_t self:process getattr;
>>>>> +allow policykit_t self:capability { setgid setuid sys_ptrace };
>>>>
>>>> This sys_ptrace is highly questionable.
>>>
>>> Could that be due to calls to the following functions:
>>>
>>> sigemptyset()
>>> sigaddset()
>>> sigprocmask()
>>>
>>> There are no calls to ptrace() and this is not due to
>>> reading /proc/PID/cmdline.
>>>
>>> In truth I can only check if this is critical for policykit.
>>
>> dontauditing this doesn't work?
>
> dontaudit will just shut it up. If it is not critical we could do that,
> but *what's the point of hiding stuff under the carpet* ?
>
> Your reply "[PATCH 11/34]: patch to allow consolekit shutdown the
> system" timestamped Tue, 01 Mar 2011 14:18:01 -0500 gives a practical
> example of the fact that dontaudit can have side effects even for a
> maintainer.
>
> If one works everyday with the policy such side effects probably have a
> minimal impact because, as soon as something goes wrong, he or she knows
> that if there are no AVCs then he or she has to track down the dontaudit
> rules.
>
> But for somebody that barely knows his or her system has a security
> framework and a security policy, these "side-effects" could turn into
> real "blockers". For example, he or she manages to find out that the
> problem is due to SELinux, then manages to find out that he/she needs to
> check the audit logs, but at the end he/she doesn't find anything there
> and just gets confused.
>
> For a distribution it's different. Everything is pre-packaged and
> tested. But here we are discussing the reference policy.
>
> In the context of the reference policy it could make some sense only in
> the context of well known "leaks". But this doesn't appear to be the
> case...
In general, anything that is not required should be denied. We do not
want to fill up the logs with extraneous denial messages, so we
dontaudit them. If there is a question of denials being suppressed by
dontaudits, thats why we have semodule -D.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-03-02 13:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-16 6:22 [refpolicy] [PATCH 18/34]: patch for the policykit module (labeling, start from dbus, read xdm files) Guido Trentalancia
2011-02-28 13:56 ` Christopher J. PeBenito
2011-02-28 15:28 ` Daniel J Walsh
2011-02-28 19:07 ` Guido Trentalancia
2011-03-01 19:12 ` Christopher J. PeBenito
2011-03-01 22:47 ` Guido Trentalancia
2011-03-02 13:51 ` Christopher J. PeBenito [this message]
2011-03-02 14:47 ` Sven Vermeulen
2011-03-02 19:55 ` Guido Trentalancia
2011-03-03 13:28 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D6E4B6A.5090708@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.