From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] user access to DOS files
Date: Tue, 8 Nov 2011 08:22:26 -0500 [thread overview]
Message-ID: <4EB92D12.9080008@tresys.com> (raw)
In-Reply-To: <201111071408.00628.russell@coker.com.au>
On 11/06/11 22:08, Russell Coker wrote:
> The attached patch adds a new boolean for granting users access to dosfs_t.
>
> Also in the same patch is a Debian specific patch to allow users to read
> /var/lib/apt/lists. While it's generally best to split patches I think that
> having an uncontroversial patch wrapped with distro_debian appended isn't a
> big deal. If the dosfs_t patch is rejected I'll submit the Debian one
> separately.
These are in userdom_base_user_template(); that is too low level of a template for these rules. That template is supposed to be as close to the absolute minimum usable user as possible. userdom_unpriv_user_template() or userdom_common_user_template() would be better choices.
> diff -ru ./policy/global_tunables /tmp/refpolicy/policy/global_tunables
> --- ./policy/global_tunables 2011-02-19 11:44:29.585412285 +1100
> +++ /tmp/refpolicy/policy/global_tunables 2011-11-07 13:22:19.258199269 +1100
> @@ -111,3 +111,10 @@
> ## </p>
> ## </desc>
> gen_tunable(user_tcp_server,false)
> +
> +## <desc>
> +## <p>
> +## Allow users to manage files on dosfs_t devices, usually removable media
> +## </p>
> +## </desc>
> +gen_tunable(user_manage_dos_files,true)
> diff -ru ./policy/modules/system/userdomain.if /tmp/refpolicy/policy/modules/system/userdomain.if
> --- ./policy/modules/system/userdomain.if 2011-10-29 21:44:32.502459650 +1100
> +++ /tmp/refpolicy/policy/modules/system/userdomain.if 2011-11-07 13:22:19.310197159 +1100
> @@ -117,6 +118,19 @@
> # Allow making the stack executable via mprotect.
> allow $1_t self:process execstack;
> ')
> +
> + tunable_policy(`user_manage_dos_files',`
> + fs_manage_dos_dirs($1_t)
> + fs_manage_dos_files($1_t)
> + ')
> +
> + ifdef(`distro_debian', `
> + # allow reading /var/lib/apt/lists
> + apt_read_db($1_t)
> + # allow reading /var/cache/apt - should not be needed but
> + # does not really matter
> + apt_read_cache($1_t)
> + ')
> ')
>
> #######################################
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2011-11-08 13:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-07 3:08 [refpolicy] user access to DOS files Russell Coker
2011-11-08 13:22 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EB92D12.9080008@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.