I realized that I missed this.
On 6/12/20 10:03 AM, bauen1 wrote:
Hi,
I also agree with most things already said.
I would like to add that the way documentation is currently handled
involves too much copy + paste of almost meaningless descriptions, but I
haven't found a very good alternative either. (maybe adding a type
attribute to the param xml and generating a summary based on that could
work in the most common cases)
The original intent with the XML-based docs was for tools to use (see
policy.xml). As far as I know, the only tool that ever used it is long-dead
(SLIDE). If we can come up with with a better solution that doesn't rule-out
the potential for tools, I'd be fine with that. It may go better with a proper
HLL and named interface parameters.
On 6/12/20 3:02 PM, Russell Coker wrote:
Does staff_r even make sense when you could just use
different MCS categories for different users?
Yes, as user_r cannot reach admin roles whereas staff_r can.
The user identity has a permitted list of roles, you can have users who are
permitted user_r and sysadm_r and users who are only permitted user_r. The
original benefit of staff_r was to protect staff from attacks by user_r
accounts, but we can do that protection with the identity based constraints.
I would propose replacing user based constraints with role based
constraints:
The user part of the context (normally) doesn't change after login, this
means that files edited by a staff_u user become inaccessible by anyone
else, even if sudo is used to change to staff_u:sysadm_r:sysadm_t, but
reducing the user based constraints for staff_u is undesirable.
This behavior depends on the type of the file. If you end up with a
staff_u:object_r:etc_t context, the user separations don't apply since this is
not a user file.
We used to have role based separations but it was encoded into the TE rules and
generated an enormous amount of rule duplication. There are some remaining
examples of this, e.g. in the su and sudo policies (staff_su_t, sysadm_su_t).
When the default_* statements were implemented I started to reimplement the
role-based separations using the role, but then I lost the work before I
finished. I don't think it is too involved, since it may be as simple copying
the UBAC infrastructure and tweaking it to work on roles.
--
Chris PeBenito
