Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp279692ybg; Fri, 12 Jun 2020 01:02:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxuQujL9IVQLSPssk3y7aEp1sBvxjziZ2AdDrS0TicHYVTpPl3m7IdViLBwhshmaMH2Dob4 X-Received: by 2002:a17:907:20ee:: with SMTP id rh14mr12218622ejb.395.1591948970086; Fri, 12 Jun 2020 01:02:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591948970; cv=none; d=google.com; s=arc-20160816; b=ZqbkUmKY/2xJ6YhPnN9ZkRzsRf2ERrzevonN4aQqQ1TFZG6QUby0lbUkjqJvVKMGJH qe/MQC8r5MrvKU1LSd1OGiF1aIcMqMUB+Qec5l1AAN5kDj7pifLB5yVQd594yVxd4MUT LPtnntZlZ76/P/Kv0vkjRVIZRa5fuOVDjJCV0OgmdqFR4sB9AE5oHlm9Ec54YknplbKz 4STLGRhcdxXBbY55cffQrAitkH9alfpWo21QVi6SS+4YxyAZs8E1EISSjuzETHFXA/vA T8CK/BwZ1pPf+iey5omBi2xWb59Gj8Pi7tUj+LxufEt4sW6rNqpafBS1o1ESgk05t9kk MJWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=O+6S31Ax7KAo+OY8cQOUxDYubn5PN+AvFAZsWys/zfY=; b=wAT+zhpN14DDtA8AVrdjNvaUonp2P7RJQ+imsmB289UnyQp0003HihPeNQf0f7Z07y kfdx4yEdXTHEG7iwVic980r+yS2OIdXonkMYRRoZ9NR94rMdtmq4C523R+UJ9xRM9pLP 0nPEQKvIa4k2O6BsDJbO/XErEhYc1bZyt+QH+mnE1yPp0KQVIz4lbmDjDEtAtN4ZF8+x nYIYVoO7/YhLg7oFhqRt10H553/jLJN42xQWSWV/g3nzEGvVuscEZ5+hPRduXoJVgM7c m6ToP4o8BSM0J2aT1vutKVqeDiyz92DkRutrKbGosVsk1Slk7ElIfdMy7UeGMBt0uLvZ S4Sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="WsvfY/nA"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e5si3039124edk.409.2020.06.12.01.02.45; Fri, 12 Jun 2020 01:02:50 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="WsvfY/nA"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726340AbgFLICa (ORCPT + 15 others); Fri, 12 Jun 2020 04:02:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726262AbgFLIC3 (ORCPT ); Fri, 12 Jun 2020 04:02:29 -0400 Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 449CFC03E96F for ; Fri, 12 Jun 2020 01:02:29 -0700 (PDT) Received: by mail-lf1-x130.google.com with SMTP id d27so401277lfq.5 for ; Fri, 12 Jun 2020 01:02:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O+6S31Ax7KAo+OY8cQOUxDYubn5PN+AvFAZsWys/zfY=; b=WsvfY/nA8qOasBKgPt2JtJnmAKsxBrrcLDW0PXyrwcJeUZBdW8rGkv8gZTqZpCw3w3 e0x0Q5n8pq4MyDTAOmEL/YYDYi4bEUlQUtbuBqzElH38F4T/xGk9DwQqpjwmMTmveETX +qEOgDcajh8eBosDDDA4xsQPh18JEiwQEsxxCzUMHdKA8SywL6mcrygEbuIWtZX1/Dkd i7fA1S82vrZRDf+aY6cwVfNEfj5pcAZYU5QISNNH5kLqBm3HkqOGQ1bU3Lj8bbtPBt/C oeH8H0TrQOGUNgsu5HW5a6BeUM8M1R4slzns2Y4+EbC6Gci69NzpUmAak5SvV5wwGQFT gFng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O+6S31Ax7KAo+OY8cQOUxDYubn5PN+AvFAZsWys/zfY=; b=XIZviwD1rWvbW3XF3AS73CBy4Abo2/puWm7CDHBKUZSXgfiBZHHwvkj8Nef2T/Xz0G V+7R5JF57YBNqcc5bO+HjfED74CYbmeJSIgQYwS0a1kOAhKYJ9Nyvv0QzV0WbQ8o5dWK 59XWwLKp9sERXDyJRUqagp1y4jjNDKKGW98PWIK97B+7bQxhOOnlcaXk9fHVfT8nrFIu VtI2frglvEb4CC97RK1r76+XuvN6W1pHgjzC3CSOu+ejSBy2Tgyb2nDKJLvjjKFGViD8 uP2+52q1E8caOhxbs/BdFRUuElDn1KmQ3YqD/PittioHpVXwYOoAti4+cmYXA2Ecz6ok l+nw== X-Gm-Message-State: AOAM530glcAD5ybMZJ7TUU88pbi0GSm2Mz0lpl6MvNPI7WBpFPavYnfZ FRXVj+WEWTMeuE4FBiLw1NJ+4MrbX44CL8C+Y+gW0g== X-Received: by 2002:ac2:490f:: with SMTP id n15mr6243176lfi.39.1591948946996; Fri, 12 Jun 2020 01:02:26 -0700 (PDT) MIME-Version: 1.0 References: <3243717.6S2XvbbdUs@liv> In-Reply-To: <3243717.6S2XvbbdUs@liv> From: Dac Override Date: Fri, 12 Jun 2020 10:02:15 +0200 Message-ID: Subject: Re: Are we on the wrong track? To: Russell Coker Cc: refpolicy Content-Type: text/plain; charset="UTF-8" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Fri, Jun 12, 2020 at 2:16 AM Russell Coker wrote: > > The reference policy is getting an increasing number of domains and types with > an O(N^2) level of complexity for writing policy and an O(N^2) size of the > binary policy. In 2012 the binary policy on my machines was 560k, now it's > over 2M. The number of domains available by default should not be a problem if you can easily select which modules you want to use. with module policy this is not as easy as with CIL as the modular nature of module policy makes it harder to resolve dependencies (almost impractical). The human readable nature of CIL and iits "feels like modular but is really just monolithic" nature makes dependency resolving at runtime with CIL generall much easier (but there are still limitations). > > In recent policy we have 6 different domains for systemd-generators. What > benefit are we expecting to get from this? Are we anticipating that one > generator will attack another? How would having separate domains for > generators do any good when there's no restriction on the contents of the > files they generate and nothing to prevent one generator from creating a file > of the name that another generator is expected to create? Is it even > reasonable to expect that a program that can create a systemd unit file with > arbitrary content (IE being able to start any daemon with arbitrary > configuration and command-line parameters) would be unable to exploit that for > unrestricted root access? > When push comes to shove, generators are just short-running services (ie its code run by systemd) generally (unit) generators do some enumeration and then create a runtime unit accordingly.but there have already been instances where this functionality has been "abused" (the dbus -> dbus-broker migration in fedora). In the end though, it might not be worth the trouble to target them. If you're allowed to write to the systemd runtime generator dir then you can drop a script , run systemd daemon-reload, and systemd will run that code. > We have a new set of domains, user_wm_t, staff_wm_t, etc. What is that for? > Is someone using the X controls and in need of a privileged window manager > domain to manage the clipboard etc? Why is staff_wm_t needed when we no > longer have staff_gpg_t? Does staff_r even make sense when you could just use > different MCS categories for different users? I suppose it's a generic domain for window managers. It originates from the metacity day's Things changed quite a bit since then (think wayland compositors) The derived types concept, originallly, i think, tackled the scenario where something needs to run either a shell or a cmmand on behalf of the caller and still run with private rules. This was quite an isssue in the recent past (for example pulseaudio clients would run pulseaudio on demand, pulse audio would run dbus on demand (i believe) and dbus would run potentially anything on demand (dbus activated services). So there was a dependency chain there to ensure some consistency. Nowaday/s thats all gone, pulseaudio is systemd socket activated, dbus is system socket activated, and dbus activation is really just dbus telling systemd to start something (rather than dbus running the dbus activated command itself) Another side effect of derived types is that it can be used for isolation of users sessions. Nowaday's roles can be used for this. Derived types, in practice, are bad because you cannot declare types reliably in optional policy. In effect that means that you cannot reliably use derived types for types that may be optional. > > We have one games_t domain for games which were packaged by the distribution. > Is this possible to give a useful benefit given that they some games the same > XDG config directories as more important things. If a game has the file > access needed to grab passwords from your MUA and network access to send them > out then is there a real benefit in having a separate domain for it? As an > aside I think that the ideal thing to do would be to have a SETGID program to > manage passwords for email etc that prevents the user from accessing them, it > could then proxy IMAP/SMTP connections so the MUA never knows the real > passwords. That's generalizing. But as for games. Today things like flatpak might be more suitable. Then you can combine SELinux and other kernel tech like namespaces, bind mounts to make stuff inaccessible etc. Theres also steam which essentially is a dumb version of flatpak. I don't think steam would ever need any access to a MUA and any of its assets > > We have special *_cronjob_t domains which in systems that use them (IE not > Debian) seem to give the potential for nothing but confusion. The general > expectation is that anything which can run as a user login session can also > run as a cron job. What benefit is this expected to provide? the derived cronjob domains (with the exception of system_cronjob_t) are conditional. This functionality can be tuned and i think it's disabled by default. There will always be legacy to carry, things change all the time. It is give and take. I don't think refpolicy has much of a future to forward to but not for the reasons above. module policy and monolithic policy are just too limited compared to CIL, and refpolicy has some designs centered around things that just don't work (think about the derived types limitation i mentioned above and how that is rooted to the core in refpolicy (example staff_dbusd_t and the dbus_role_template effectively make dbus a hard dependency (effectively nowaday's it is) but this also means that no dbus role templates (and this any dbus interfaces) should ever be in optional blocks DSSP3 is my vision of what a modern policy should look like (except that it doesn't support enforcement of confidentiality) Eventually though DSSP3 will grow legacy just like refpolicy, I do not pretend otherwise. But a lot has changed and DSSP3 took the opportunity to rebuild for the new new. Also with DSSP3 i learned from the bloat lesson. DSSP3 itself is intentionally kept small and concise.I acknowledge that policy has to be maintained over time and so if you limit yourself to a relatively small set of types/roes/id etc and you focus on the quality of that then you make life easier. I do have a "DSSP3 constrib" and this repository can and will has as many modules as needed (of course the quality of those modules cannot be vouched for) but they're all optional and self-contained (to the extent possible) > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > > >