I'd like to take a moment to introduce the project I'm working on. I call it 'context separation' (consep). It shall provide a user with the means to separate his desktop into different contexts (Which I will call 'subuser' to distinguish from selinux contexts). The subusers can be named by the user. One subuser is supposed to be used for every of the user's tasks: one for browsing, one for mail, one for working on project A, one for project B etc. A subuser can be thought of like a sandbox on Fedora (I think so atleast). The main difference probably is that I use XSELinux for separation under X11 while Fedora uses Xephyr proxies. The latter one certainly is cleaner and probably more secure but has a performance and usability impact. What consep is supposed to offer besides a policy is a set of tools to integrate the subusers into the user's desktop and (hopefully) workflow. * The policy The policy is written from scratch but could be rebased to refpol with not so much effort due to strong modularity. I just thought, things were complicated enough already without having to deal with refpol. Essentially it is a targeted policy. All system processes run in unconfined domains at the moment. Nevertheless the whole filesystem is labeled trying to replicate DAC, so extending the policy to a strict one can be accomplished by writing policy modules for the system processes. The separation between the main user and his subusers is done via TE between the types main_t (which further divides into xserver_t and wm_t) and sub_t. The subusers themself are separated by MCS in the manner I described in my previous post on this list. It boils down to this: Every user has 100 slots for subusers, each slot having a specific mcs range to separate it from every other slot. * The tools The primary goal of the consep tools is to provide the user with means to name his subuser slots (which by themselves are just category ranges) and then refer to these slots by the given names for all kinds of tasks. For example: The user creates subusers with names browser, mail and selinux-policy. The system automatically assigns free subuser slots to those names. Once a slot is in use, it cannot be assign to any other name. The windowmanager then can use the tool 'consep-doas' to do something like: consep-doas browser firefox This will automatically transition to sub_t and the mcs range associated with 'browser' and start firefox. Each subuser has his own home dir and is supposed to behave like an independent traditional linux user. Tools also include: - A menu program to easily start terminals and other apps as one of your subusers. - A program to copy X11 selections between subusers. Each subuser has his own cutbuffer through polyinstantiation. - A daemon that can be used by subusers to send files to other subusers. - A program to mount removable vfat drives to a specific subuser. (E.g. mounting your MP3-player to your music-subuser. Gives him and only him access to it.) - A simple statusbar program that shows the name of the subuser owning the currently active X-window. (That's just for convenience, could be spoofed easily.) All the programs prompt for subuser names using dmenu. The whole system is easily maintained. You just add subuser names to a file in your main user's home dir. So far this is all working and currently in use by me. I'll open up my hg repository as soon as I have set up a server for this. My time is a bit scarce now, but I will use the next few weeks to write some basic documentation, comment some code and sort out some license issues with stuff I use. Then I'll release a preliminary version under GPL. Not working yet but planned is the ability for subusers to further transition down to subsubusers (e.g. the mail user dropping privileges to view a pdf). This is implemented in the policy already but not in the tools. Ole
Attachment:
signature.asc
Description: Digital signature
