Daniel J Walsh wrote: > If we went full lock down on every domain then we would not have > 70% > of the fedora community running with SELinux enabeled in enforcing > mode. I hear you and I still believe this was/is a smart choice, but I think with your proposal you're not adhering to its spirit. If unconfined means equal to DAC then the unconfined user should be able to become unconfined root even if via seteuid backdoor. If you want to prevent this then you're confining the user. (You're now _targeting_ that ability.) So here's an idea: why not just make an unconfined_user_t that would be stripped of root powers so that even if it becomes euid 0 he could not exercise them. Then just control the ways of unconfined_user_t becoming unconfined_admin_t (for example, type transition on trusted seteuid executable program files). Seems to me much simpler and much more bulletbroof than removing _one_ possible way of many by what you proposed - that is confining an already confined admin, which is only very remotely responsible for what you want to avoid. > This is not default allow. It is DAC + MAC as opposed to the way most > people run, which is just DAC. I am trying to make setattr check better. Note that from MAC viewpoint, DAC is remarkably similar to default allow. Michal Svoboda
Attachment:
pgp6zE5zYY9Ay.pgp
Description: PGP signature
