From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files)
Date: Thu, 06 Sep 2012 13:14:20 +0200 [thread overview]
Message-ID: <5048858C.70700@trentalancia.com> (raw)
In-Reply-To: <50475283.7080202@redhat.com>
Hello Daniel.
Following your reflections, I have checked the current situation and I
share the concerns, so I have created a patch which disables most
tunable policy booleans (except network and the mcelog module as it
deals amongst other things with CPU thermal events which can be related
to hardware failures).
On 05/09/2012 15:24, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>
>>>
>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>
>>>>> Add a new boolean to grant users access to dosfs_t. ---
>>>>> policy/global_tunables | 7 +++++++
>>>>> policy/modules/system/userdomain.if | 6 ++++++ 2 files changed, 13
>>>>> insertions(+)
>>>>>
>>>>> diff --git a/policy/global_tunables b/policy/global_tunables index
>>>>> 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++
>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@
>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc>
>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +## Allow
>>>>> users to manage files on dosfs_t devices, usually removable media +##
>>>>> </p> +## </desc> +gen_tunable(user_manage_dos_files,true)
>>>>
>>>> In my opinion is good to have this as on option, but in a secure
>>>> environment the default should be false for removable media.
>>>
>>> i would prefer the boolean to be fprefix userdom or userdomain instead of
>>> user, because that it the module that declares this boolean.
>>>
>>> Since the user is also allowed to manage dos dirs i would probably call
>>> it: userdomain_manage_dos_content
>>>
>>> as description i would use:
>>>
>>> "Determine whether users can manage dosfs content."
>>
>> I agree. And, in particular it's not "dos files" which can be confusing,
>> but dos filesystems which is already perfectioned in Dominick's
>> amendments.
>>
>>>>> diff --git a/policy/modules/system/userdomain.if
>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65 100644
>>>>> --- a/policy/modules/system/userdomain.if +++
>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@
>>>>> template(`userdom_base_user_template',` # Allow making the stack
>>>>> executable via mprotect. allow $1_t self:process execstack; ') + +
>>>>> tunable_policy(`user_manage_dos_files',` + fs_manage_dos_dirs($1_t)
>>>>> + fs_manage_dos_files($1_t) + ') + ')
>>>>>
>>>>> #######################################
>>
>> _______________________________________________ refpolicy mailing list
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> I think all booleans should be off by default and then the distributions can
> decide which booleans to turn on using the booleans.conf file. This would
> allow us one file to look at to see what is enabled.
Turn off all/most tunable policy booleans by default
in Reference Policy (except network).
They can be enabled on a per-distribution basis
and many of those that were enabled were somehow
risky as defaults.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
--- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te Thu
Sep 6 10:56:21 2012
@@ -30,7 +30,7 @@ gen_tunable(mcelog_exec_scripts, true)
## print out usage and version information.
## </p>
## </desc>
-gen_tunable(mcelog_foreground, true)
+gen_tunable(mcelog_foreground, false)
## <desc>
## <p>
@@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false)
## syslog option.
## </p>
## </desc>
-gen_tunable(mcelog_syslog, true)
+gen_tunable(mcelog_syslog, false)
type mcelog_t;
type mcelog_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/qemu.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
--- refpolicy-09062012-git-master/policy/modules/contrib/qemu.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
Thu Sep 6 10:53:27 2012
@@ -17,7 +17,7 @@ gen_tunable(qemu_full_network, false)
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
-gen_tunable(qemu_use_cifs, true)
+gen_tunable(qemu_use_cifs, false)
## <desc>
## <p>
@@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false)
## Allow qemu to use nfs file systems
## </p>
## </desc>
-gen_tunable(qemu_use_nfs, true)
+gen_tunable(qemu_use_nfs, false)
## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
-gen_tunable(qemu_use_usb, true)
+gen_tunable(qemu_use_usb, false)
type qemu_exec_t;
virt_domain_template(qemu)
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/rpc.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te
--- refpolicy-09062012-git-master/policy/modules/contrib/rpc.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te
Thu Sep 6 10:54:59 2012
@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
-gen_tunable(allow_gssd_read_tmp, true)
+gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
diff -pru
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
---
refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
Thu Sep 6 10:54:20 2012
@@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa
## Allow spamd to read/write user home directories.
## </p>
## </desc>
-gen_tunable(spamd_enable_home_dirs, true)
+gen_tunable(spamd_enable_home_dirs, false)
type spamassassin_t;
type spamassassin_exec_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/virt.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
--- refpolicy-09062012-git-master/policy/modules/contrib/virt.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
Thu Sep 6 10:54:05 2012
@@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs, false)
## Allow virt to use usb devices
## </p>
## </desc>
-gen_tunable(virt_use_usb, true)
+gen_tunable(virt_use_usb, false)
virt_domain_template(svirt)
role system_r types svirt_t;
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xen.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xen.te Thu Aug
23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te
Thu Sep 6 10:54:41 2012
@@ -11,7 +11,7 @@ policy_module(xen, 1.12.0)
## Not required if using dedicated logical volumes for disk images.
## </p>
## </desc>
-gen_tunable(xend_run_blktap, true)
+gen_tunable(xend_run_blktap, false)
## <desc>
## <p>
@@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true)
## Not required if using paravirt and no vfb.
## </p>
## </desc>
-gen_tunable(xend_run_qemu, true)
+gen_tunable(xend_run_qemu, false)
## <desc>
## <p>
diff -pru refpolicy-09062012-git-master/policy/modules/contrib/xguest.te
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
--- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te Thu
Aug 23 19:23:00 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te Thu
Sep 6 10:53:49 2012
@@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0)
## Allow xguest users to mount removable media
## </p>
## </desc>
-gen_tunable(xguest_mount_media, true)
+gen_tunable(xguest_mount_media, false)
## <desc>
## <p>
## Allow xguest to configure Network Manager
## </p>
## </desc>
-gen_tunable(xguest_connect_network, true)
+gen_tunable(xguest_connect_network, false)
## <desc>
## <p>
## Allow xguest to use blue tooth devices
## </p>
## </desc>
-gen_tunable(xguest_use_bluetooth, true)
+gen_tunable(xguest_use_bluetooth, false)
role xguest_r;
diff -pru
refpolicy-09062012-git-master/policy/modules/services/postgresql.te
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
--- refpolicy-09062012-git-master/policy/modules/services/postgresql.te
Thu Sep 6 10:50:18 2012
+++
refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
Thu Sep 6 10:51:57 2012
@@ -23,7 +23,7 @@ gen_require(`
## Allow unprived users to execute DDL statement
## </p>
## </desc>
-gen_tunable(sepgsql_enable_users_ddl, true)
+gen_tunable(sepgsql_enable_users_ddl, false)
## <desc>
## <p>
@@ -37,7 +37,7 @@ gen_tunable(sepgsql_transmit_client_labe
## Allow database admins to execute DML statement
## </p>
## </desc>
-gen_tunable(sepgsql_unconfined_dbadm, true)
+gen_tunable(sepgsql_unconfined_dbadm, false)
type postgresql_t;
type postgresql_exec_t;
next prev parent reply other threads:[~2012-09-06 11:14 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-04 21:21 [refpolicy] [PATCH 1/3] Mark use of deprecated interfaces that are not providing replacement as errors Laurent Bigonville
2012-09-04 21:21 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville
2012-09-04 23:45 ` Guido Trentalancia
2012-09-05 0:32 ` Russell Coker
2012-09-05 8:47 ` Guido Trentalancia
2012-09-05 7:00 ` Dominick Grift
2012-09-05 8:41 ` Guido Trentalancia
2012-09-05 13:24 ` Daniel J Walsh
2012-09-05 15:04 ` Guido Trentalancia
2012-09-06 11:14 ` Guido Trentalancia [this message]
2012-09-06 12:54 ` [refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files) Daniel J Walsh
2012-09-05 15:50 ` [refpolicy] [PATCH v2 2/3] user access to DOS filesystems Laurent Bigonville
2012-09-05 17:58 ` Christopher J. PeBenito
2012-09-06 14:24 ` [refpolicy] [PATCH 2/3] user access to DOS files Laurent Bigonville
2012-09-06 16:31 ` Guido Trentalancia
2012-09-06 16:39 ` Guido Trentalancia
2012-09-06 17:05 ` Guido Trentalancia
2012-09-04 21:21 ` [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request Laurent Bigonville
2012-09-04 22:57 ` Guido Trentalancia
2012-09-05 0:30 ` Russell Coker
2012-09-05 8:48 ` Guido Trentalancia
2012-09-05 9:23 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5048858C.70700@trentalancia.com \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.