On 8/7/2015 9:37 AM, Joshua Brindle wrote: > Stephen Smalley wrote: >> On 08/07/2015 04:09 AM, Sven Vermeulen wrote: >>> Will you provide a patch to the reference policy to allow semanage_t >>> to write into all kinds of directories? >>> >>> I personally see little value in this patch, as everything is readily >>> accessible on the file system. Users who want to extract policies with >>> semodule will now encounter policy issues where semanage_t is not >>> allowed to write into the current working directory (depending where >>> the user is at): >> >> Directly accessing files under /var/lib/selinux is not very >> user-friendly or maintainable, as how the files are arranged and stored >> is an implementation detail of libsemanage. >> > > Agreed, policy could (and maybe should) completely prevent users from > messing around there, lest they corrupt something. This is generally enforced in refpolicy, though a couple privileged domains (eg package managers) can access it. >> The change allows users a new workflow in which they can readily extract >> a module (whether locally created or distro-provided), modify it, and >> then re-install it (and automatically have their modified version >> installed at higher priority, and thereby not clobber the >> distro-provided one or be clobbered by subsequent policy updates. >> >> semanage is already given userdom_read_user_home_content_files() and >> userdom_read_user_tmp_files() in order to support semodule -i from >> either of those locations, so broadening that to userdom_manage doesn't >> seem too onerous. >> >> Also, the situation doesn't seem terribly different from the already >> existing semanage export facility, which takes a -f output_file option. >> > > Alternatively the module could always be output to stdout and then > piping it to a file would use the users (or shells) domain rather than > semanage_t. > > There is definitely an integrity violation with having such a privileged > program read from user directories but I suppose that ship has sailed. It's a side effect of the UBAC implementation, as all the users have the same types for their home directory contents, but with different seusers. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
