Bug 457223 - confined user access to public content types
confined user access to public content types
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-30 08:21 EDT by Dominick Grift
Modified: 2008-11-17 17:05 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:05:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
type enforcement file (1.96 KB, application/octet-stream)
2008-07-30 08:21 EDT, Dominick Grift
no flags Details
interface file (2.25 KB, application/octet-stream)
2008-07-30 08:22 EDT, Dominick Grift
no flags Details
File context file (167 bytes, application/octet-stream)
2008-07-30 08:22 EDT, Dominick Grift
no flags Details
apache interface file (772 bytes, text/plain)
2008-07-30 16:25 EDT, Dominick Grift
no flags Details
apache type enforcement file (295 bytes, text/plain)
2008-07-30 16:25 EDT, Dominick Grift
no flags Details
git-daemon file context file (347 bytes, text/plain)
2008-07-30 16:26 EDT, Dominick Grift
no flags Details
git-daemon interface file (2.25 KB, text/plain)
2008-07-30 16:27 EDT, Dominick Grift
no flags Details
git-daemon type enforcement file (2.19 KB, text/plain)
2008-07-30 16:28 EDT, Dominick Grift
no flags Details
gitusr file context file (97 bytes, text/plain)
2008-07-30 16:28 EDT, Dominick Grift
no flags Details
gitusr interface file (153 bytes, text/plain)
2008-07-30 16:29 EDT, Dominick Grift
no flags Details
gitusr type enforcement file (826 bytes, text/plain)
2008-07-30 16:29 EDT, Dominick Grift
no flags Details
user domain interface file (466 bytes, text/plain)
2008-07-30 16:30 EDT, Dominick Grift
no flags Details
git_daemon domain patch (15.32 KB, text/plain)
2008-08-01 09:18 EDT, Dominick Grift
no flags Details
git_daemon domain. (20.50 KB, text/plain)
2008-08-04 06:02 EDT, Dominick Grift
no flags Details

  None (edit)
Description Dominick Grift 2008-07-30 08:21:27 EDT
In my quest to confine git, i noticed that confined users may not interact with
public content types. 

Should confined users be able to read public_content_types by default?

I have experimented with the idea of allowing confined users access to
public_content_types by implementing booleans.

for example, i have created a miscfiles_per_role_template with 3 booleans:

miscfiles_$1_read_public_content_files, false
miscfiles_$1_manage_public_content_files, false
miscfiles_$1_exec_public_content_files, false

This way i can allow user domains access to these public content types. 

I will attach my concept git-daemon module for reference. Please note that this
module is for testing purposes only.
Comment 1 Dominick Grift 2008-07-30 08:21:27 EDT
Created attachment 312988 [details]
type enforcement file
Comment 2 Dominick Grift 2008-07-30 08:22:00 EDT
Created attachment 312989 [details]
interface file
Comment 3 Dominick Grift 2008-07-30 08:22:42 EDT
Created attachment 312990 [details]
File context file
Comment 4 Daniel Walsh 2008-07-30 10:11:51 EDT
I think they should be allowed to read public_content by default no boolean
needed.  After all it is public.

Comment 5 Daniel Walsh 2008-07-30 15:59:21 EDT
Fixed in selinux-policy-3.5.1-4.fc10.noarch
Comment 6 Dominick Grift 2008-07-30 16:25:11 EDT
Created attachment 313027 [details]
apache interface file
Comment 7 Dominick Grift 2008-07-30 16:25:54 EDT
Created attachment 313028 [details]
apache type enforcement file
Comment 8 Dominick Grift 2008-07-30 16:26:39 EDT
Created attachment 313029 [details]
git-daemon file context file
Comment 9 Dominick Grift 2008-07-30 16:27:18 EDT
Created attachment 313030 [details]
git-daemon interface file
Comment 10 Dominick Grift 2008-07-30 16:28:05 EDT
Created attachment 313031 [details]
git-daemon type enforcement file
Comment 11 Dominick Grift 2008-07-30 16:28:44 EDT
Created attachment 313032 [details]
gitusr file context file
Comment 12 Dominick Grift 2008-07-30 16:29:15 EDT
Created attachment 313033 [details]
gitusr interface file
Comment 13 Dominick Grift 2008-07-30 16:29:54 EDT
Created attachment 313034 [details]
gitusr type enforcement file
Comment 14 Dominick Grift 2008-07-30 16:30:41 EDT
Created attachment 313035 [details]
user domain interface file
Comment 15 Dominick Grift 2008-07-31 17:32:39 EDT
Thanks, please ignore attached policy modules. It is still a work in progress.
Comment 16 Dominick Grift 2008-08-01 09:18:11 EDT
Created attachment 313195 [details]
git_daemon domain patch

Here is my current git_daemon domain policy. This seems to work great, but it
could use more testing.
Comment 17 Dominick Grift 2008-08-04 06:02:23 EDT
Created attachment 313344 [details]
git_daemon domain.

Attached is my latest update for my git daemon domain. I have tried to keep it as simple as possible. Note that i also tried to make the optional_policy block: git_daemon_read_all_git_daemon_content(httpd_t) tunable in apache.te, this did not work as expected.

git-shell users need a special git userdomain: git_daemon_git_user_template(git_user), because unprivileged users do not have access to git_daemon_system_content_t.

The git-shell user domain has to be the primary for git+ssh:// to work. One would have to add git_user_u to /etc/selinux/targeted/contexts/users/ with:

system_r:remote_login_t:s0	git_user_r:git_user_t:s0
system_r:sshd_t:s0		git_user_r:git_user_t:s0

personal repositories can be hosted by regular local users by default in ~/public_git and should be labeled git_daemon_user_content_t by default)

if git_daemon runs as a inetd service than one can enable/disable the use of personal git repositories.

if a user runs the git-daemon , the user will only be able to host git_daemon_user_content_t in his home location.

git_daemon_admin() is pretty useless at the moment.
Comment 18 Daniel Walsh 2008-11-17 17:05:23 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.