[refpolicy] [PATCH]: turn all/most tunable policy booleans off by default (was Re: [PATCH 2/3] user access to DOS files)

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2012 07:14 AM, Guido Trentalancia wrote:
> Hello Daniel.
> 
> Following your reflections, I have checked the current situation and I
> share the concerns, so I have created a patch which disables most tunable
> policy booleans (except network and the mcelog module as it deals amongst
> other things with CPU thermal events which can be related to hardware
> failures).
> 
> On 05/09/2012 15:24, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 09/05/2012 04:41 AM, Guido Trentalancia wrote:
>>> On 05/09/2012 09:00, Dominick Grift wrote:
>>>> 
>>>> 
>>>> On Wed, 2012-09-05 at 01:45 +0200, Guido Trentalancia wrote:
>>>>> On 04/09/2012 23:21, Laurent Bigonville wrote:
>>>>>> From: Mika Pfl?ger <debian@mikapflueger.de>
>>>>>> 
>>>>>> Add a new boolean to grant users access to dosfs_t. --- 
>>>>>> policy/global_tunables              |    7 +++++++ 
>>>>>> policy/modules/system/userdomain.if |    6 ++++++ 2 files
>>>>>> changed, 13 insertions(+)
>>>>>> 
>>>>>> diff --git a/policy/global_tunables b/policy/global_tunables
>>>>>> index 4705ab6..43cc19a 100644 --- a/policy/global_tunables +++ 
>>>>>> b/policy/global_tunables @@ -111,3 +111,10 @@ 
>>>>>> gen_tunable(use_samba_home_dirs,false) ## </p> ## </desc> 
>>>>>> gen_tunable(user_tcp_server,false) + +## <desc> +## <p> +##
>>>>>> Allow users to manage files on dosfs_t devices, usually removable
>>>>>> media +## </p> +## </desc>
>>>>>> +gen_tunable(user_manage_dos_files,true)
>>>>> 
>>>>> In my opinion is good to have this as on option, but in a secure 
>>>>> environment the default should be false for removable media.
>>>> 
>>>> i would prefer the boolean to be fprefix userdom or userdomain
>>>> instead of user, because that it the module that declares this
>>>> boolean.
>>>> 
>>>> Since the user is also allowed to manage dos dirs i would probably
>>>> call it: userdomain_manage_dos_content
>>>> 
>>>> as description i would use:
>>>> 
>>>> "Determine whether users can manage dosfs content."
>>> 
>>> I agree. And, in particular it's not "dos files" which can be
>>> confusing, but dos filesystems which is already perfectioned in
>>> Dominick's amendments.
>>> 
>>>>>> diff --git a/policy/modules/system/userdomain.if 
>>>>>> b/policy/modules/system/userdomain.if index e720dcd..0c96b65
>>>>>> 100644 --- a/policy/modules/system/userdomain.if +++ 
>>>>>> b/policy/modules/system/userdomain.if @@ -117,6 +117,12 @@ 
>>>>>> template(`userdom_base_user_template',` # Allow making the stack 
>>>>>> executable via mprotect. allow $1_t self:process execstack; ') +
>>>>>> + tunable_policy(`user_manage_dos_files',` +
>>>>>> fs_manage_dos_dirs($1_t) +        fs_manage_dos_files($1_t) +
>>>>>> ') + ')
>>>>>> 
>>>>>> #######################################
>>> 
>>> _______________________________________________ refpolicy mailing list 
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>> 
>> I think all booleans should be off by default and then the distributions
>> can decide which booleans to turn on using the booleans.conf file.  This
>> would allow us one file to look at to see what is enabled.
> 
> Turn off all/most tunable policy booleans by default in Reference Policy
> (except network).
> 
> They can be enabled on a per-distribution basis and many of those that were
> enabled were somehow risky as defaults.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com> ---
> 
> diff -pru refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te 
> --- refpolicy-09062012-git-master/policy/modules/contrib/mcelog.te    Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/mcelog.te
>  Thu Sep  6 10:56:21 2012 @@ -30,7 +30,7 @@
> gen_tunable(mcelog_exec_scripts, true) ## print out usage and version
> information. ## </p> ## </desc> -gen_tunable(mcelog_foreground, true) 
> +gen_tunable(mcelog_foreground, false)
> 
> ## <desc> ## <p> @@ -48,7 +48,7 @@ gen_tunable(mcelog_server, false) ##
> syslog option. ## </p> ## </desc> -gen_tunable(mcelog_syslog, true) 
> +gen_tunable(mcelog_syslog, false)
> 
> type mcelog_t; type mcelog_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/qemu.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/qemu.te
> Thu Sep  6 10:53:27 2012 @@ -17,7 +17,7 @@ gen_tunable(qemu_full_network,
> false) ## Allow qemu to use cifs/Samba file systems ## </p> ## </desc> 
> -gen_tunable(qemu_use_cifs, true) +gen_tunable(qemu_use_cifs, false)
> 
> ## <desc> ## <p> @@ -31,14 +31,14 @@ gen_tunable(qemu_use_comm, false) ##
> Allow qemu to use nfs file systems ## </p> ## </desc> 
> -gen_tunable(qemu_use_nfs, true) +gen_tunable(qemu_use_nfs, false)
> 
> ## <desc> ## <p> ## Allow qemu to use usb devices ## </p> ## </desc> 
> -gen_tunable(qemu_use_usb, true) +gen_tunable(qemu_use_usb, false)
> 
> type qemu_exec_t; virt_domain_template(qemu) diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/rpc.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/rpc.te Thu 
> Sep  6 10:54:59 2012 @@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0) ## Allow
> gssd to read temp directory.  For access to kerberos tgt. ## </p> ##
> </desc> -gen_tunable(allow_gssd_read_tmp, true) 
> +gen_tunable(allow_gssd_read_tmp, false)
> 
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
> 
- --- refpolicy-09062012-git-master/policy/modules/contrib/spamassassin.te    Thu
> Aug 23 19:23:00 2012 +++ 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/spamassassin.te
>
> 
Thu Sep  6 10:54:20 2012
> @@ -17,7 +17,7 @@ gen_tunable(spamassassin_can_network, fa ## Allow spamd
> to read/write user home directories. ## </p> ## </desc> 
> -gen_tunable(spamd_enable_home_dirs, true) 
> +gen_tunable(spamd_enable_home_dirs, false)
> 
> type spamassassin_t; type spamassassin_exec_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/virt.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/virt.te
> Thu Sep  6 10:54:05 2012 @@ -45,7 +45,7 @@ gen_tunable(virt_use_sysfs,
> false) ## Allow virt to use usb devices ## </p> ## </desc> 
> -gen_tunable(virt_use_usb, true) +gen_tunable(virt_use_usb, false)
> 
> virt_domain_template(svirt) role system_r types svirt_t; diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te ---
> refpolicy-09062012-git-master/policy/modules/contrib/xen.te    Thu Aug 23 
> 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xen.te Thu 
> Sep  6 10:54:41 2012 @@ -11,7 +11,7 @@ policy_module(xen, 1.12.0) ## Not
> required if using dedicated logical volumes for disk images. ## </p> ##
> </desc> -gen_tunable(xend_run_blktap, true) +gen_tunable(xend_run_blktap,
> false)
> 
> ## <desc> ## <p> @@ -19,7 +19,7 @@ gen_tunable(xend_run_blktap, true) ##
> Not required if using paravirt and no vfb. ## </p> ## </desc> 
> -gen_tunable(xend_run_qemu, true) +gen_tunable(xend_run_qemu, false)
> 
> ## <desc> ## <p> diff -pru
> refpolicy-09062012-git-master/policy/modules/contrib/xguest.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te 
> --- refpolicy-09062012-git-master/policy/modules/contrib/xguest.te    Thu
> Aug 23 19:23:00 2012 +++
> refpolicy-09062012-safe-default-booleans/policy/modules/contrib/xguest.te
>  Thu Sep  6 10:53:49 2012 @@ -10,21 +10,21 @@ policy_module(xguest, 1.1.0) 
> ## Allow xguest users to mount removable media ## </p> ## </desc> 
> -gen_tunable(xguest_mount_media, true) +gen_tunable(xguest_mount_media,
> false)
> 
> ## <desc> ## <p> ## Allow xguest to configure Network Manager ## </p> ##
> </desc> -gen_tunable(xguest_connect_network, true) 
> +gen_tunable(xguest_connect_network, false)
> 
> ## <desc> ## <p> ## Allow xguest to use blue tooth devices ## </p> ##
> </desc> -gen_tunable(xguest_use_bluetooth, true) 
> +gen_tunable(xguest_use_bluetooth, false)
> 
> role xguest_r;
> 
> diff -pru
> refpolicy-09062012-git-master/policy/modules/services/postgresql.te 
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
> 
- --- refpolicy-09062012-git-master/policy/modules/services/postgresql.te Thu Sep
> 6 10:50:18 2012 +++ 
> refpolicy-09062012-safe-default-booleans/policy/modules/services/postgresql.te
>
> 
Thu Sep  6 10:51:57 2012
> @@ -23,7 +23,7 @@ gen_require(` ## Allow unprived users to execute DDL
> statement ## </p> ## </desc> -gen_tunable(sepgsql_enable_users_ddl, true) 
> +gen_tunable(sepgsql_enable_users_ddl, false)
> 
> ## <desc> ## <p> @@ -37,7 +37,7 @@
> gen_tunable(sepgsql_transmit_client_labe ## Allow database admins to
> execute DML statement ## </p> ## </desc> 
> -gen_tunable(sepgsql_unconfined_dbadm, true) 
> +gen_tunable(sepgsql_unconfined_dbadm, false)
> 
> type postgresql_t; type postgresql_exec_t;
> 

That looks good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBInPMACgkQrlYvE4MpobMJrQCfY6dUKRIs/7FCJSwAuDweNkU1
9koAn25rZqW1R1Km6q9+ygRZW7Y76TvU
=lxXC
-----END PGP SIGNATURE-----