Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155800 - Restricting /home
Summary: Restricting /home
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On: 155798 156452
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-23 13:17 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-24 02:56:16 UTC


Attachments (Terms of Use)
Restrict Home V. 1 (deleted)
2005-04-23 13:18 UTC, Ivan Gyurdiev
no flags Details | Diff
Makefile patch to detect lines containing USER (deleted)
2005-04-29 18:13 UTC, Ivan Gyurdiev
no flags Details | Diff
Genhomedircon patch for USER expansion (deleted)
2005-04-29 18:15 UTC, Ivan Gyurdiev
no flags Details | Diff
Restrict Home patch v. 2 (deleted)
2005-04-29 20:27 UTC, Ivan Gyurdiev
no flags Details | Diff
Restrict Home patch v. 3 (deleted)
2005-04-30 00:03 UTC, Ivan Gyurdiev
no flags Details | Diff
Restrict Home patch v. 4 (deleted)
2005-04-30 15:10 UTC, Ivan Gyurdiev
no flags Details | Diff
ORBit2-SELinux patch to do matchpathcon on /tmp/orbit-$USER... (deleted)
2005-05-07 19:47 UTC, Ivan Gyurdiev
no flags Details | Diff
ORBit2-SELinux patch v. 2 (deleted)
2005-05-07 22:15 UTC, Ivan Gyurdiev
no flags Details | Diff
03-genhomedircon-USER.diff (deleted)
2005-05-12 00:21 UTC, Ivan Gyurdiev
no flags Details | Diff
03-Makefile-USER.diff (deleted)
2005-05-12 00:22 UTC, Ivan Gyurdiev
no flags Details | Diff
03-orbit.diff (deleted)
2005-05-12 00:24 UTC, Ivan Gyurdiev
no flags Details | Diff
04-gconfd.diff (deleted)
2005-05-12 00:26 UTC, Ivan Gyurdiev
no flags Details | Diff
rest.fix.diff (deleted)
2005-05-12 00:28 UTC, Ivan Gyurdiev
no flags Details | Diff

Description Ivan Gyurdiev 2005-04-23 13:17:18 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
This bug is to track development on my restrict_home patch.
In its present shape, this patch is not ready for merge, 
but I think it's moving in the right direction of providing
more fine-grained labeling, so desktop programs will
not require access to ROLE_home_t/ROLE_tmp_t.

The version attached provides labeling for various gnome
hidden folders, mime-type files, and per/user fonts. 
It creates macros for reading mime-types and fonts,
and begins using those in several programs. It places GConf in
its own domain. Finally, it removes the mozilla read_home and
write_home macros, and changes mozilla to only be able to 
write ROLE_untrusted_content_t.


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.12-1

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

Comment 1 Ivan Gyurdiev 2005-04-23 13:18:18 UTC
Created attachment 113581 [details]
Restrict Home V. 1

Comment 2 Ivan Gyurdiev 2005-04-29 18:13:40 UTC
Created attachment 113861 [details]
Makefile patch to detect lines containing USER

USER expansion: Makefile.diff

Comment 3 Ivan Gyurdiev 2005-04-29 18:15:37 UTC
Created attachment 113863 [details]
Genhomedircon patch for USER expansion

USER expansion: genhomedircon.diff

Not sure if this is right way to do this, but it works...

Comment 4 Ivan Gyurdiev 2005-04-29 20:27:50 UTC
Created attachment 113875 [details]
Restrict Home patch v. 2

Comment 5 Ivan Gyurdiev 2005-04-30 00:03:44 UTC
Created attachment 113878 [details]
Restrict Home patch v. 3

Comment 6 Ivan Gyurdiev 2005-04-30 15:10:19 UTC
Created attachment 113888 [details]
Restrict Home patch v. 4

Funny how I can't attach that patch in enforcing mode...since mozilla can't
read ROLE_home_t... will have to deal with that eventually.

Comment 7 Ivan Gyurdiev 2005-05-07 19:47:03 UTC
Created attachment 114126 [details]
ORBit2-SELinux patch to do matchpathcon on /tmp/orbit-$USER... 

With this patch, orbit-$USER is created with the proper type.
I think I will submit the orbit part of the restrict home patch
for inclusion now...

Comment 8 Ivan Gyurdiev 2005-05-07 22:15:54 UTC
Created attachment 114135 [details]
ORBit2-SELinux patch v. 2

- matchpathcon() failure not an error condition
- add libORBit to the error messages to indicate where they are from

Comment 9 Daniel Walsh 2005-05-09 14:28:28 UTC
I am not sure this is the way we want to go.  You will need to run orbit with a
much higher privs.  I think the path you were going down earlier of creating
some kind of skel would be better.   IE Setup /tmp/orbit at boot or when orbit
starts up, with the proper context.  Then have a file_type_trans rule for users
who create files in /tmp/orbit.

file_type_domain_trans(user_t, tmp_orbit_t, user_tmp_orbit_t)  or something.



Comment 10 Ivan Gyurdiev 2005-05-10 16:45:43 UTC
Bug Update (for anyone interested):

Currently under discussion for inclusion:

- miscellaneous mozilla/gift fixes
- breakup of file_browse_domain
- USER expansion
- orbit macros
- gconfd domain

All attachments are obsolete, and need update - I will post re-synced patches
as soon as we've figured out what needs to be merged.

TODO:
- Make genhomedircon expand <<none>> USER contexts
- Figure out this denial:

 audit(1115741956.702:0): avc:  denied  { use } for  path=pipe:[9850] dev=pipefs
ino=9850 scontext=phantom:staff_r:staff_gconfd_t
tcontext=system_u:system_r:xdm_t tclass=fd

- Do something about gdm vs xdm:

audit(1115741955.365:0): avc:  denied  { search } for  name=.icons dev=dm-2
ino=324635 scontext=system_u:system_r:xdm_t
tcontext=phantom:object_r:staff_gnome_data_t tclass=dir






Comment 11 Ivan Gyurdiev 2005-05-12 00:21:25 UTC
Created attachment 114270 [details]
03-genhomedircon-USER.diff

Upload fixed patch (This patchset is against 1.23.15-4)

Comment 12 Ivan Gyurdiev 2005-05-12 00:22:58 UTC
Created attachment 114271 [details]
03-Makefile-USER.diff

Upload fixed patch (This patchset is against 1.23.15-4)

Comment 13 Ivan Gyurdiev 2005-05-12 00:24:55 UTC
Created attachment 114272 [details]
03-orbit.diff

Upload fixed patch (This patchset is against 1.23.15-4)

Comment 14 Ivan Gyurdiev 2005-05-12 00:26:47 UTC
Created attachment 114273 [details]
04-gconfd.diff

Upload fixed patch (This patchset is against 1.23.15-4)

Comment 15 Ivan Gyurdiev 2005-05-12 00:28:21 UTC
Created attachment 114274 [details]
rest.fix.diff

Upload fixed patch (This patchset is against 1.23.15-4)

Comment 16 Ivan Gyurdiev 2005-05-24 02:56:16 UTC
Closing bug, because it's not working well as a tracker -
patches in question are constantly out of date, and being resynced.

Status before closing:

Merged:
03-genhomedircon-USER.diff
03-Makefile-USER.diff

Pending FC4:
03-orbit.diff
ORBit2-SELinux patch v. 2
04-gconfd.diff

Some fonts and mount_point things merged,
others need to be fixed:
rest.fix.diff

------

I will now work on getting the rest of this fixed and merged,
and writing an evolution policy...




Note You need to log in before you can comment on or make changes to this bug.