On 8/8/2022 1:35 PM, Christian Göttsche wrote:
The libselinux utilities are mostly wrappers around libselinux functionality accessing the selinuxfs, which is largely usable for unprivileged users.
I can see how some of those tools are sensible for unprivileged users, but others (setenforce for example) seem clearly intended for privileged users. On the whole, most of these utilities are dealing with the sort of policy details that the "Mandatory" part of MAC tends to want to leave to administrators.
And while selinuxfs is mounted with permissive "other" DAC perms, a lot of the access tends to be controlled much more granularly in SELinux policies. Obviously a targeted policy with unconfined_t for regular users will grant all this access to unprivileged users, but I suspect that most implementations with more restrictions would be fairly liberal with security_t read access, less liberal with security_t write, and much less liberal with the more granular controls in the security object class. A (very) quick skim through permission on my Fedora desktop seems to bear this out.
I think that the claim that those utilities that only require security_t read are fine for unprivileged users seems reasonable, things like setenforce, togglesebool, setfilecon and the compute_* family, to name a few all feel more like administrative utilities to me.
As a minor note, setsebool is located in policycoreutils and installed in sbin. Separating setsebool from getsebool and togglesebool feels somewhat weird to me.
-Daniel
