-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2010 12:18 PM, Michal Svoboda wrote: > Daniel J Walsh wrote: >> If we went full lock down on every domain then we would not have > 70% >> of the fedora community running with SELinux enabeled in enforcing >> mode. > > I hear you and I still believe this was/is a smart choice, but I think > with your proposal you're not adhering to its spirit. > > If unconfined means equal to DAC then the unconfined user should be able > to become unconfined root even if via seteuid backdoor. If you want to > prevent this then you're confining the user. (You're now _targeting_ > that ability.) > > So here's an idea: why not just make an unconfined_user_t that would be > stripped of root powers so that even if it becomes euid 0 he could not > exercise them. Then just control the ways of unconfined_user_t becoming > unconfined_admin_t (for example, type transition on trusted seteuid > executable program files). > > Seems to me much simpler and much more bulletbroof than removing _one_ > possible way of many by what you proposed - that is confining an already > confined admin, which is only very remotely responsible for what you > want to avoid. > >> This is not default allow. It is DAC + MAC as opposed to the way most >> people run, which is just DAC. I am trying to make setattr check better. > > Note that from MAC viewpoint, DAC is remarkably similar to default allow. > > > Michal Svoboda Well in a way this is what staff_t is, a user which can run most apps without a problem. but when it runs an app that requires capabilities, it needs to transition to another domain. staff_t is what I run on my laptop. The problem is staff_t < unconfined_t in that it can not run apps that require capabilities that someone has not written policy for. Admin installs a third party app that requires setuid/setgid or some other priv, now he needs to write policy to transition his staff_t to thirdparty_t. In my scenario, unconfined_t will be able to run the third party app, and will be able to becom confinedadmin_t for some sudo jobs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvYcToACgkQrlYvE4MpobOlJQCeMYi4JDYBIdlo5hYeA2WZGEPT NvAAoKta0qd51FFAGJWhB40r1KPQNmTB =xSvm -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
