From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Restricting access to pcscd socket
Date: Tue, 19 Aug 2014 09:08:26 -0400 [thread overview]
Message-ID: <53F34C4A.4050307@tresys.com> (raw)
In-Reply-To: <20140215220025.2cb38402@gentp.lnet>
On 2/15/2014 4:00 PM, Luis Ressel wrote:
> On Sat, 15 Feb 2014 15:36:16 -0500
> "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
>
>> Typically I would take something like this. Conditionally making the
>> policy stricter is usually a good thing. I'm not so sure that it
>> makes sense here. It doesn't seem like it buys much.
>
> I'm not sure about either. If I understand it correctly, once one
> application accesses a smartcard, it gets exclusive access - other
> applications can't access it anymore until the using application stops
> using the smartcard (and hopefully resets it before).
>
> On the other hand, something as security-critical as a smartcard daemon
> should be well-protected, and mozilla_plugin_t is a really exposed
> domain. Same goes for xguest_t - you expect that one to have minimal
> permissions, and that normally wouldn't include access to smartcards.
>
> Therefore, I think it would be a good idea to add these booleans. Could
> you perhaps elaborate a bit on them "not buying much"?
The ability to check passwords suffers the same problem but we don't
make the chkpwd rules conditional.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2014-08-19 13:08 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-14 19:47 [refpolicy] Restricting access to pcscd socket Luis Ressel
2014-02-14 19:47 ` [refpolicy] [PATCH 1/3] Add a boolean governing mozilla plugin access to pcscd Luis Ressel
2014-02-14 20:15 ` Sven Vermeulen
2014-02-14 19:47 ` [refpolicy] [PATCH 2/3] Add a boolean governing xguest " Luis Ressel
2014-02-14 19:47 ` [refpolicy] [PATCH 3/3] Add a boolean governing kerberos " Luis Ressel
2014-02-15 20:36 ` [refpolicy] Restricting access to pcscd socket Christopher J. PeBenito
2014-02-15 21:00 ` Luis Ressel
2014-08-11 13:42 ` Luis Ressel
2014-08-19 13:08 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F34C4A.4050307@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.