Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp62978ybg;
        Thu, 11 Jun 2020 17:16:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwdJUbuRbhEiuajHImyatkzHWclDmw8VrseO8/UTpfkO7xONu4wup2XjUxyuf563rwYSJ+V
X-Received: by 2002:a17:906:5496:: with SMTP id r22mr11161571ejo.449.1591920963893;
        Thu, 11 Jun 2020 17:16:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591920963; cv=none;
        d=google.com; s=arc-20160816;
        b=tF0oulA3K+BDgRXWIakj2Lrg1JDLzJyaECZ3tSLjFmt58V6zZWLVH6HUojCpIQ5CT9
         xup0GvatiPZp6HfYWlHYTB1zwrX464hP9FPZGkolPiKBXYGL9AVdXS/86AKY53ilIAe/
         199QcQbpQN7CdbpaXD3ehcOX5+OO4Zhv9cMZzCHJ1WOdcxVp1bS5GvBz8axXAb0PqOkM
         oRM5HuDzTa/1lekFw/bEo5jsxmi+/YbPo908zr/SbAf9Kn8TywkGUTovMAd87yoiKp+3
         UhCVsc8ELbrTSKdqpgGQxvjb5/hN1cnSWASXWQms/wV3D+qBDwM4zlOnJ3VW5LWzUv+P
         kPCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=m9DYWEgdBS3r2cpeo85MGKP6dr4UNPgVHe4ACAOToB0=;
        b=oFJlxf/Q36jtAQXhhHTCR5iOr+8iwpklFEo2hghDEDAsxLpRRUcj/5cgkFc36c8fq/
         rQRt+HsqZxULyJ5ZnZl7WOhnyDsd/erC7zD+ognBZZme/IXuECbYAwIpjZVRl9x6EMNv
         PJ3e7X860oo8LZnzMt0x+VaZePjBbos4M4vHWpENnSwBTxFLq9vhAx5SSTXkE6lO7f6x
         wV+X4RXJDrw5iE7JsErUJVFCPvjgXMrKShKnE3TLK15sceqM6432ygIYrxMALwGmJTq1
         EHJ1diML8gWAuA1d5G6aYGZMS7yMkLz0X06nEwdCIB6fWrjUDwYaPxl9pR7vG8sb8bvj
         uEBg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=1PDtAnsE;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b11si2363281edw.203.2020.06.11.17.15.56;
        Thu, 11 Jun 2020 17:16:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=1PDtAnsE;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726294AbgFLANc (ORCPT <rfc822;sbsubscribe2014@gmail.com>
        + 15 others); Thu, 11 Jun 2020 20:13:32 -0400
Received: from smtp.sws.net.au ([46.4.88.250]:36202 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726285AbgFLANc (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 11 Jun 2020 20:13:32 -0400
X-Greylist: delayed 584 seconds by postgrey-1.27 at vger.kernel.org; Thu, 11 Jun 2020 20:13:31 EDT
Received: from liv.localnet (unknown [103.75.204.226])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: russell@coker.com.au)
        by smtp.sws.net.au (Postfix) with ESMTPSA id 0A076F8C0
        for <selinux-refpolicy@vger.kernel.org>; Fri, 12 Jun 2020 10:03:44 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1591920225;
        bh=m9DYWEgdBS3r2cpeo85MGKP6dr4UNPgVHe4ACAOToB0=; l=2306;
        h=From:To:Subject:Date:From;
        b=1PDtAnsEBBIIOxSqeHK/9QJRxks503XhkA1wzdaujfNu5irXF6wshoAl5N/aD9kfR
         nGFpDy4UZMpKOZaYoEVeMAhhSdu+rEFIwZlMj16PGQ/q1oR1MRFdBwBCGB/JJ79bcN
         WWiFSoFBte3mgWuGAnefhwSC/Zv9MYV7pxUUIZ/g=
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: Are we on the wrong track?
Date:   Fri, 12 Jun 2020 10:03:40 +1000
Message-ID: <3243717.6S2XvbbdUs@liv>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

The reference policy is getting an increasing number of domains and types with 
an O(N^2) level of complexity for writing policy and an O(N^2) size of the 
binary policy.  In 2012 the binary policy on my machines was 560k, now it's 
over 2M.

In recent policy we have 6 different domains for systemd-generators.  What 
benefit are we expecting to get from this?  Are we anticipating that one 
generator will attack another?  How would having separate domains for 
generators do any good when there's no restriction on the contents of the 
files they generate and nothing to prevent one generator from creating a file 
of the name that another generator is expected to create?  Is it even 
reasonable to expect that a program that can create a systemd unit file with 
arbitrary content (IE being able to start any daemon with arbitrary 
configuration and command-line parameters) would be unable to exploit that for 
unrestricted root access?

We have a new set of domains, user_wm_t, staff_wm_t, etc.  What is that for?  
Is someone using the X controls and in need of a privileged window manager 
domain to manage the clipboard etc?  Why is staff_wm_t needed when we no 
longer have staff_gpg_t?  Does staff_r even make sense when you could just use 
different MCS categories for different users?

We have one games_t domain for games which were packaged by the distribution.  
Is this possible to give a useful benefit given that they some games the same 
XDG config directories as more important things.  If a game has the file 
access needed to grab passwords from your MUA and network access to send them 
out then is there a real benefit in having a separate domain for it?  As an 
aside I think that the ideal thing to do would be to have a SETGID program to 
manage passwords for email etc that prevents the user from accessing them, it 
could then proxy IMAP/SMTP connections so the MUA never knows the real 
passwords.

We have special *_cronjob_t domains which in systems that use them (IE not 
Debian) seem to give the potential for nothing but confusion.  The general 
expectation is that anything which can run as a user login session can also 
run as a cron job.  What benefit is this expected to provide?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/