From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Restricting access to pcscd socket
Date: Sat, 15 Feb 2014 15:36:16 -0500 [thread overview]
Message-ID: <52FFCFC0.8030407@tresys.com> (raw)
In-Reply-To: <1392407241-18492-1-git-send-email-aranea@aixah.de>
On 2/14/2014 2:47 PM, Luis Ressel wrote:
> The policy grants the right to access the pcscd socket (PC/SC daemon, a daemon
> for accessing smartcards) to some domains which rarely need it: xguest_t,
> mozilla_plugin_t and kerberos users (through kerberos_use()). While there are
> use cases which require this access, most do not, and access to a smartcard is
> something rather critical. Therefore I propose to make this permission a
> tunable.
>
> There are some other domains which are granted this access (openct_t,
> certmonger_t, certwatch_t, and after my last patch also gpg_agent_t), but they
> are specifically crypto-related and should be well-protected, so I decided to
> leave their permissions unconditional. (Sure, kerberos is also crypto-related,
> but in that policy, the right is granted to any application using kerberos, not
> only a separate process.)
>
> What do you think?
Typically I would take something like this. Conditionally making the policy stricter is usually a good thing. I'm not so sure that it makes sense here. It doesn't seem like it buys much.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-02-15 20:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-14 19:47 [refpolicy] Restricting access to pcscd socket Luis Ressel
2014-02-14 19:47 ` [refpolicy] [PATCH 1/3] Add a boolean governing mozilla plugin access to pcscd Luis Ressel
2014-02-14 20:15 ` Sven Vermeulen
2014-02-14 19:47 ` [refpolicy] [PATCH 2/3] Add a boolean governing xguest " Luis Ressel
2014-02-14 19:47 ` [refpolicy] [PATCH 3/3] Add a boolean governing kerberos " Luis Ressel
2014-02-15 20:36 ` Christopher J. PeBenito [this message]
2014-02-15 21:00 ` [refpolicy] Restricting access to pcscd socket Luis Ressel
2014-08-11 13:42 ` Luis Ressel
2014-08-19 13:08 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52FFCFC0.8030407@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.