All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
@ 2014-07-23 20:31 Jason Zaman
  2014-07-24  8:35 ` Miroslav Grepl
  2014-07-25 12:19 ` Christopher J. PeBenito
  0 siblings, 2 replies; 6+ messages in thread
From: Jason Zaman @ 2014-07-23 20:31 UTC (permalink / raw)
  To: refpolicy

gssd needs to be able to add entries to the kerberos credential
cache. This adds a boolean to allow that.
---
 rpc.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/rpc.te b/rpc.te
index 1a6dcc0..f2e44d5 100644
--- a/rpc.te
+++ b/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
 
 ## <desc>
 ##	<p>
+##	Determine whether gssd can write
+##	generic user temporary content.
+##	</p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+##	<p>
 ##	Determine whether nfs can modify
 ##	public files used for public file
 ##	transfer services. Directories/Files must
@@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
 	userdom_read_user_tmp_symlinks(gssd_t)
 ')
 
+tunable_policy(`allow_gssd_write_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_write_user_tmp_files(gssd_t)
+')
+
 optional_policy(`
 	automount_signal(gssd_t)
 ')
-- 
1.8.5.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
  2014-07-23 20:31 [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean Jason Zaman
@ 2014-07-24  8:35 ` Miroslav Grepl
  2014-07-24  9:00   ` Jason Zaman
  2014-07-25 12:19 ` Christopher J. PeBenito
  1 sibling, 1 reply; 6+ messages in thread
From: Miroslav Grepl @ 2014-07-24  8:35 UTC (permalink / raw)
  To: refpolicy

On 07/23/2014 10:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
> ---
>   rpc.te | 13 +++++++++++++
>   1 file changed, 13 insertions(+)
>
> diff --git a/rpc.te b/rpc.te
> index 1a6dcc0..f2e44d5 100644
> --- a/rpc.te
> +++ b/rpc.te
> @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
>   
>   ## <desc>
>   ##	<p>
> +##	Determine whether gssd can write
> +##	generic user temporary content.
> +##	</p>
> +## </desc>
> +gen_tunable(allow_gssd_write_tmp, false)
> +
> +## <desc>
> +##	<p>
>   ##	Determine whether nfs can modify
>   ##	public files used for public file
>   ##	transfer services. Directories/Files must
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>   	userdom_read_user_tmp_symlinks(gssd_t)
>   ')
>   
> +tunable_policy(`allow_gssd_write_tmp',`
> +	userdom_list_user_tmp(gssd_t)
> +	userdom_write_user_tmp_files(gssd_t)
> +')
> +
>   optional_policy(`
>   	automount_signal(gssd_t)
>   ')
We probably want to think about better boolean name for this one. Maybe

gssd_write_user_tmp_files

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
  2014-07-24  8:35 ` Miroslav Grepl
@ 2014-07-24  9:00   ` Jason Zaman
  0 siblings, 0 replies; 6+ messages in thread
From: Jason Zaman @ 2014-07-24  9:00 UTC (permalink / raw)
  To: refpolicy

On Thu, Jul 24, 2014 at 10:35:31AM +0200, Miroslav Grepl wrote:
> On 07/23/2014 10:31 PM, Jason Zaman wrote:
> > gssd needs to be able to add entries to the kerberos credential
> > cache. This adds a boolean to allow that.
> > ---
> >   rpc.te | 13 +++++++++++++
> >   1 file changed, 13 insertions(+)
> >
> > diff --git a/rpc.te b/rpc.te
> > index 1a6dcc0..f2e44d5 100644
> > --- a/rpc.te
> > +++ b/rpc.te
> > @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
> >   
> >   ## <desc>
> >   ##	<p>
> > +##	Determine whether gssd can write
> > +##	generic user temporary content.
> > +##	</p>
> > +## </desc>
> > +gen_tunable(allow_gssd_write_tmp, false)
> > +
> > +## <desc>
> > +##	<p>
> >   ##	Determine whether nfs can modify
> >   ##	public files used for public file
> >   ##	transfer services. Directories/Files must
> > @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> >   	userdom_read_user_tmp_symlinks(gssd_t)
> >   ')
> >   
> > +tunable_policy(`allow_gssd_write_tmp',`
> > +	userdom_list_user_tmp(gssd_t)
> > +	userdom_write_user_tmp_files(gssd_t)
> > +')
> > +
> >   optional_policy(`
> >   	automount_signal(gssd_t)
> >   ')
> We probably want to think about better boolean name for this one. Maybe
> 
> gssd_write_user_tmp_files

That does sound better yes. I was basing it off the already existing
read boolean. The original read one should be renamed too then probably.
In that case, do these sound better?

gssd_write_user_tmp_files
gssd_read_user_tmp_files

I can send a patch that renames the read one and adds the new write bool.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
  2014-07-23 20:31 [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean Jason Zaman
  2014-07-24  8:35 ` Miroslav Grepl
@ 2014-07-25 12:19 ` Christopher J. PeBenito
  2014-07-25 12:37   ` Jason Zaman
  1 sibling, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2014-07-25 12:19 UTC (permalink / raw)
  To: refpolicy

On 7/23/2014 4:31 PM, Jason Zaman wrote:
> gssd needs to be able to add entries to the kerberos credential
> cache. This adds a boolean to allow that.
[...]
> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>  	userdom_read_user_tmp_symlinks(gssd_t)
>  ')
>  
> +tunable_policy(`allow_gssd_write_tmp',`
> +	userdom_list_user_tmp(gssd_t)
> +	userdom_write_user_tmp_files(gssd_t)
> +')
> +

Are you sure that these credential caches can't have more specific
labels, e.g. by name filetrans?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
  2014-07-25 12:19 ` Christopher J. PeBenito
@ 2014-07-25 12:37   ` Jason Zaman
  2014-07-25 18:38     ` Daniel J Walsh
  0 siblings, 1 reply; 6+ messages in thread
From: Jason Zaman @ 2014-07-25 12:37 UTC (permalink / raw)
  To: refpolicy

On Fri, Jul 25, 2014 at 08:19:16AM -0400, Christopher J. PeBenito wrote:
> On 7/23/2014 4:31 PM, Jason Zaman wrote:
> > gssd needs to be able to add entries to the kerberos credential
> > cache. This adds a boolean to allow that.
> [...]
> > @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
> >  	userdom_read_user_tmp_symlinks(gssd_t)
> >  ')
> >  
> > +tunable_policy(`allow_gssd_write_tmp',`
> > +	userdom_list_user_tmp(gssd_t)
> > +	userdom_write_user_tmp_files(gssd_t)
> > +')
> > +
> 
> Are you sure that these credential caches can't have more specific
> labels, e.g. by name filetrans?

That was sort of the point of my original question, the file is
/tmp/krb5cc_1000 ie depends on the uid. A named transition is not quite
possible but having something like krb_user_tmp_t would work then gssd
could get only access to that instead of every single user_tmp_t.

I don't know enough about the details of kerberos but I think only the
kernel and kinit/klist/etc need to be able to read the credential
cache file so having it labelled as user_tmp_t is a bit strange.

-- Jason

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean
  2014-07-25 12:37   ` Jason Zaman
@ 2014-07-25 18:38     ` Daniel J Walsh
  0 siblings, 0 replies; 6+ messages in thread
From: Daniel J Walsh @ 2014-07-25 18:38 UTC (permalink / raw)
  To: refpolicy


On 07/25/2014 08:37 AM, Jason Zaman wrote:
> On Fri, Jul 25, 2014 at 08:19:16AM -0400, Christopher J. PeBenito wrote:
>> On 7/23/2014 4:31 PM, Jason Zaman wrote:
>>> gssd needs to be able to add entries to the kerberos credential
>>> cache. This adds a boolean to allow that.
>> [...]
>>> @@ -309,6 +317,11 @@ tunable_policy(`allow_gssd_read_tmp',`
>>>  	userdom_read_user_tmp_symlinks(gssd_t)
>>>  ')
>>>  
>>> +tunable_policy(`allow_gssd_write_tmp',`
>>> +	userdom_list_user_tmp(gssd_t)
>>> +	userdom_write_user_tmp_files(gssd_t)
>>> +')
>>> +
>> Are you sure that these credential caches can't have more specific
>> labels, e.g. by name filetrans?
> That was sort of the point of my original question, the file is
> /tmp/krb5cc_1000 ie depends on the uid. A named transition is not quite
> possible but having something like krb_user_tmp_t would work then gssd
> could get only access to that instead of every single user_tmp_t.
>
> I don't know enough about the details of kerberos but I think only the
> kernel and kinit/klist/etc need to be able to read the credential
> cache file so having it labelled as user_tmp_t is a bit strange.
>
> -- Jason
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
No the name is randomized not just krb_UID It needs to be randomized to
stop other users from attacking your system.
Just like any named content in /tmp.

If we had SimpleGlob support in the kernel then we could do a file name
transition on something like krb*

But that does not exist.

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2014-07-25 18:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-23 20:31 [refpolicy] [PATCH] Add allow_gssd_write_tmp boolean Jason Zaman
2014-07-24  8:35 ` Miroslav Grepl
2014-07-24  9:00   ` Jason Zaman
2014-07-25 12:19 ` Christopher J. PeBenito
2014-07-25 12:37   ` Jason Zaman
2014-07-25 18:38     ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.