Untrusted content domain

Ivan Gyurdiev ivg2 at cornell.edu
Mon May 9 20:57:06 UTC 2005 

On Mon, 2005-05-09 at 14:04 +0100, Mike Hearn wrote:
> Hi Ivan,
> 
> I saw your work on the restricted $HOME SELinux policy and this
> interests me a great deal (both with my Codeweavers hat and my
> autopackage hat on).
> 
> I'd like to discuss this in a more public forum. Is the Fedora SELinux
> list a good place to talk about this sort of lockdown?

Ok. Basically my plan is to see how SELinux can be used to confine all 
applications, including various "desktop" programs - content 
handlers and such. I dislike how so many things that are completely
unrelated are marked ROLE_home_t under /home, and a lot of things
are marked ROLE_tmp_t under /tmp. I think there should be better
labeling of /home, and /tmp.

As part of this, I have suggested various changes, including:

- per domain labeling of ORBit sockets in /tmp, so apps 
don't have to access ROLE_tmp_t

- confining various GNOME daemons to make use of this - 
starting with GConf, and gnome-vfs-daemon

- labeling of the various GNOME hidden folders in /home with
a more specific context than ROLE_home_t

- restricting mozilla and other programs that interact with
the web to writing ROLE_untrusted_content_t, as opposed to ROLE_home_t
(or something stranger, like ROLE_mozilla_home_t, which is the current
behavior)

- labeling per/user fonts, and .desktop files, and writing macros
to make those work

- in the future, content-specific types such as ROLE_media_content_t,
that content handlers can access.

I have a bug tracking this here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155800

although right now this is just one large patch, not nearly where
it should be, and unsuitable for merging. I have sent Daniel Walsh
several smaller patches to begin implementing this - I need to update
the bug to reflect that, since the large patch is a bit out of date.

===========================

The untrusted_content part of this is a proposal for a type to be used
to mark things downloaded from the Internet that cannot be trusted
(hence..untrusted). The idea is that various web browsers, p2p clients,
etc. will use this type to store content.

Then the user would have to perform some sort of action to interact
with this type, to make it accessible by other programs. This
would be simply to relabel the file to a different type to begin with,
but in the future an automated mechanism could be used to do this,
or selinux integration with nautilus could be used to relabel the
files. There were also suggestions of a virus scan before
such content type would be made accessible.

Basically, for starters I just want better labeling of content
downloaded by mozilla, because ROLE_mozilla_home_t is just wrong - it's
the same type as is used for internal mozilla settings (.mozilla).
Then after the type exists, we can figure out what to do with it.

To make this work I wanted there to be a folder in /home
called downloads or something like that created by default.
Then things stored there would automatically get the right type.
I suggested that the GNOME team create such a folder, and integrate it
with the Places menu, but I don't think there was a lot of interest
on the Usability list - in any case people disagree about what
it should be called, or whether it's important to have such a folder.
I haven't decided what to do about this - currently my patch simply
labels downloads and ".*Downloads" as ROLE_untrusted_content_t,
if they are present. It also changes the type of files saved by mozilla
in tmp to ROLE_untrusted_content_t.

More information about the selinux mailing list