[refpolicy] [PATCH 2/3] user access to DOS files

Guido Trentalancia guido at trentalancia.com
Thu Sep 6 11:39:50 CDT 2012


On 06/09/2012 18:31, Guido Trentalancia wrote:
> On 06/09/2012 16:24, Laurent Bigonville wrote:
>> Le Tue,  4 Sep 2012 23:21:08 +0200,
>> Laurent Bigonville <bigon at debian.org> a écrit :
>>
>>> +	tunable_policy(`user_manage_dos_files',`
>>> +		fs_manage_dos_dirs($1_t)
>>> +		fs_manage_dos_files($1_t)
>>> +	')
>>> +
>>>    ')
>>
>> I was reading the code further and isn't the proposed patch actually
>> redundant with user_rw_noexattrfile?
>>
>>           tunable_policy(`user_rw_noexattrfile',`
>>                   fs_manage_noxattr_fs_files($1_t)
>>                   fs_manage_noxattr_fs_dirs($1_t)
>>           ',`
>>                   fs_read_noxattr_fs_files($1_t)
>>           ')
>>
>> So shouldn't the proposed patch simply be dropped?
>
> Fortunately, it has not been applied, I think. And if it causes problems
> and degradation of current policy, as you now recognize, why did you
> post it in the first place then ?

The version above does not exclude xattr so it leads to marked security 
flaw. It also leads to another security risk as already pointed out in 
previous messages (no disabled boolean for cross-OS filesystems write).

This project goes in the opposite direction, I suppose...


More information about the refpolicy mailing list