Ivan Gyurdiev wrote:
I think we need to maybe stop marking certain defined
domains as exec_type. To prevent all users from being able to execute the application
without a transition.
If you want to prevent all users from being able to execute the app w/out a transition, then disable_trans to false, and that should suffice, shouldn't it?
Even in your example I disable-trans for games and then accidentally
run some game as sysadm, bad things can happen.
So what you really want is to always transition for sysadm, regardless of what disable_trans is set to.
if (! disable_games_trans) { domain_auto_trans($1_t, games_exec_t, $1_games_t)
}
ifelse($1, sysadm, `
domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
')
No that is only an example. I am thinking more to the attribute exec_type.
Every exec_t we are currently defining as exec_type which allows all users (user_t, staff_t , sysadm_t)
to execute the app. If we want the app to be only executable by certain users and to require a trans, we
need to eliminate the exec_type attribute on the exec_t.
One of the things that has been discussed with MLS is the idea of a secadm for manipulating policy versus
a sysadm for doing everything else. The argument in the past was that you could not properly isolate the two
so that a hostile user in one domain could not gain access to the other domain. What I am thinking is not how
to prevent the hostile user but to prevent the accidental usage by a non hostile user. So if we defined sysadm_r
as not being able to execute checkpolicy, load_policy and secadm_r not able to execute anything but checkpolicy,
load_policy. We could at least force people to become cognizant of the role they are in.
So if I am in secadm_r and I accidently try to run mozilla, it will give me an error.
Dan
--
