On 3/14/19 10:22 PM, Sugar, David wrote:
On 3/14/19 6:06 PM, Chris PeBenito wrote:
On 3/13/19 2:18 PM, Sugar, David wrote:
I am having trouble with some denials due to the fact I am setting
up specific private types for media attached to my system. This
changes to use an attribute for media and interfaces to add types
to the newly created attribute
What you implemented doesn't seem consistent with what you have in the
commit message. sr0 is in your example denials, so these aren't all
fixed disk devices, so the interface names and the attribute names
should be related to all storage devices, it would seem.
No, they are not all fixed disk denials. And maybe I should have split
this into 2 (or 3) patches. As I was making changes they all seemed
related from my use case, but from your point of view I can see why they
are probably different. And I may not be explaining what I'm trying to
accomplish clearly.
Basically I have two (or three) cases:
1) I want to provide distinct types for USB devices so that only certain
domains are able to mount/umount/format/etc... The attribute provides a
way to grant access to things like lvm_t and kernel_t which still need
to do stuff with the device nodes. The USB devices /dev/sd* by default
are labeled fixed_disk_device_t.
2) I want to provide distinct types for certain hard disk/LVM
partitions. This will provide a way to restrict access to certain
domains to alter those hard disk partitions (i.e. mount and umount and
cryptsetup (to change LUKS password)). At the same time this restricts
those domains that need this specific hard disk access to still not have
access to other partitions labeled fixed_disk_device_t. i.e. so if this
domain is compromised, it can only alter the single partition it has
access to, not others.
3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
and /dev/sg1 with a separate type to better control access to write to
the generic scsi device node to only the process who is writing optical
media. Again this provides a way to restrict access to the other
/dev/sg* devices this process should not be accessing. /dev/sr0 is
removable_device_t by default but I also have some USB devices that
present as cdrom devices get /dev/sr1 as the device node and by default
are also labeled removable_device_t.
I am able to use specific udev rules to correctly setup the SELinux
labels for these specific hard disk partitions, USB devices and optical
drive.
I am also open to other recommendations for a better way to solve these
denials without giving domains that only need to access a single device
or partition access to all devices.
These do not seem upstreamable. They sound very system-specific.
--
Chris PeBenito
