On Mon, Jul 17, 2017 at 4:06 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote: > On Fri, Jul 14, 2017 at 9:46 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > At the risk of commenting on SELinux in general: > >> There is no way to clone all allow rules from >> descendants to their ancestors in policy currently, and doing so would >> be undesirable even if it were practical, as it requires leaking >> permissions to objects and operations into ancestor domains that could >> weaken their own security in order to allow them to the descendants >> (e.g. if a descendant requires execmem permission, then so do all of >> its ancestors ... > > In my mind, permissions like execmem aren't in the same category as > normal permissions. execmem is the right to do something that opens > the subject to compromise, not the right to do something to an object > that needs protection. Maybe execmem should be exempt from > typebounds. I just realized that this got lost in the rest of the discussion ... It's worth nothing that from a practical point of bounded type transitions aren't likely going to be the solution that will likely be used to solve this current systemd problem (see the rest of the thread). However, I understand you were speaking in general terms, and while there may be some merit to your suggestion, that would be quite a deviation from how things work at the moment and unless typebounds takes off (which I am beginning to doubt will happen outside a few special domains) I'm not sure it is worth the effort and headache. -- paul moore www.paul-moore.com