Jamie Nguyen wrote: > I think I've spotted a bug with misc env. I have put this in exception policy: > > acl_group 0 misc env HOME > acl_group 0 misc env USERNAME > ... etc > > However, putting domains with "use_group 0" into learning mode causes > entries like this to appear: > > misc env HOME > misc env USERNAME > ... etc > If you are experiencing this problem when using policy namespace, I think you are confused by below two things. Please check that the domains with "use_group 0" and the exception policy with "acl_group 0" belong to the same policy namespace. For example, "<kernel> /usr/sbin/sshd /bin/bash" domain is in "<kernel>" namespace. Thus, this domain will search for "<kernel> acl_group 0 misc env HOME" from the exception policy. (For compatibility, "<kernel> " prefix is omissible for "<kernel> acl_group 0 misc env HOME" case.) But "</usr/sbin/sshd> /bin/bash" domain is in "</usr/sbin/sshd>" namespace. Thus, this domain will search for "</usr/sbin/sshd> acl_group 0 misc env HOME" from the exception policy. Also, please note that the permission for receiving environment variables (misc env) and the permission for using interpreter/loader programs (file read) are checked using the domain where the process will belong to upon successful program execution. For example, <kernel> reset_domain /usr/sbin/sshd from any will cause processes which belong to domains in the "<kernel>" namespace to temporarily transit to "</usr/sbin/sshd>" domain in the "</usr/sbin/sshd>" namespace. (The "temporarily" means that they will return to the old domain if program execution has failed, and they will remain in the new domain if program execution has succeeded.) Therefore, "misc env HOME" is searched from "</usr/sbin/sshd>" namespace using "use_group" settings of "</usr/sbin/sshd>" domain. As you put "acl_group 0 misc env HOME" into the "<kernel>" namespace, the process which is temporarily in the "</usr/sbin/sshd>" namespace is unable to find "</usr/sbin/sshd> acl_group 0 misc env HOME" from the exception policy. This means that, when you develop a policy for specific application using policy namespace, you can restrict environment variables which the application is allowed to receive without worrying interference with other policy namespaces.
TOMOYO
Fork