Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp446926ybg; Fri, 12 Jun 2020 05:56:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyqORogAi6zHciWVKt798CHlRQybQPj7nctzpaaW+mmFDG2K+iIKbCmS51pqauGfgDLP1uJ X-Received: by 2002:a17:906:1088:: with SMTP id u8mr13790863eju.428.1591966576460; Fri, 12 Jun 2020 05:56:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591966576; cv=none; d=google.com; s=arc-20160816; b=wSkOZkzfDWJhjgRcyqLbhXCtkV8Ehht21nK7A9ME66AHtEPN3tt8DKsJARyKEyxqYO A7hL42zxl+20K2ANm0I3FtYGlzikURYg2Odd7arEJ0xLN6+3RHfxIMpc0R1b8GpY+nF9 d+CM0vtgehkDW+qrG3byckX/qhFQOKtIaKtOUmj9LWMH/tEoI1//Mn+qwkPgvtC5Y/vZ eZrIwvM0A+yYn8S3GmKhUN1UzqT5Vy186b7qJphEdwzsEMmkxS6LSWfyeDKNPE/CtWrk 2q41h+NxBjvrsTQ5hPZWiHmZMGzteGo8K4RJSt3/NbuSeAYfuCRmBBHRk8k/I7uVLv5o 2+Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=tHbwNrhA0lcIwb6KAkRUYAMkEB0twwHMfp1RmWmtO/E=; b=PpL3ybUruQfF3bzKIP0xL7hIaatl2D4CK3i/m12FRMtZEw8xSwB6LD5Yk2SlHhDQf4 WIV2ae0BfveLp1+gegTpnrIo3F8L7VY/pbGXwgsXdsMj56exL7L1zHK49QXWIzknaRff UEDTMwwen4DY/U1kj7iyeGtTzjgVn9GNyUf7RE6rXFq/F/+uRus5MzxV+C7lCyx3P/wb yE+giN1txupBcpwiGWvCeYOjUVwHpK59pc2VwtnTFyrI12foGYBeo3LMyAvdwCNvFSm3 8EYaQ4f5U1GgYhRkfPF0Du5g17DE46bI94bT0xpxoYHZ9ugAgAHE/CK4UMoAiqVEBeOO 4ydA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=pFnN5IDv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z7si3280651edr.589.2020.06.12.05.56.12; Fri, 12 Jun 2020 05:56:16 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=pFnN5IDv; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726286AbgFLMxk (ORCPT + 15 others); Fri, 12 Jun 2020 08:53:40 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:35006 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726085AbgFLMxk (ORCPT ); Fri, 12 Jun 2020 08:53:40 -0400 Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 5C0C2EF99; Fri, 12 Jun 2020 22:53:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1591966417; bh=tHbwNrhA0lcIwb6KAkRUYAMkEB0twwHMfp1RmWmtO/E=; l=3059; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pFnN5IDvT3ss+T7TheKFGVCvzou+LeFwzv9PnXHRH0sHgsr+e1H01ZKLTqVtKbUJS io8iO2FN83dOmlSSXi6GY+ycU749rk12Dr7OAXf+cnBtyQuCdwnfisHowAfgd2n8CN w0eTFE5zGhI5LRdUsgEBeiZANpJYDTQL6fvsrKQk= From: Russell Coker To: Dominick Grift Cc: refpolicy Subject: Re: Are we on the wrong track? Date: Fri, 12 Jun 2020 22:53:33 +1000 Message-ID: <3403154.DDNKOWLi4p@liv> In-Reply-To: References: <3243717.6S2XvbbdUs@liv> <11621688.XNj53QmPYG@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Friday, 12 June 2020 10:26:35 PM AEST Dominick Grift wrote: > Russell Coker writes: > > On Friday, 12 June 2020 8:15:34 PM AEST Dominick Grift wrote: > >> What was the main part of your message than? The complexity involved > >> with removing modules you do not need in any given configuration? > > > > The difficulty in managing it all and the limited benefit in trying to do > > it. > Yes, Its a bit easier with CIL policy and maybe could even be automated > in an environment that leverages CIL (although not sure if that would be > worth the overhead) What exactly are you saying could be automated? > >> >> I suppose it's a generic domain for window managers. It originates > >> >> from the metacity day's Things changed quite a bit since then (think > >> >> wayland compositors) > >> > > >> > Are you saying we should remove the staff_wm_t? > >> > >> I am just sharing my knowledge. I will leave that decision to others. > > > > To know how something it works is to know whether it works well enough or > > should be improved. > > I think its subjective. > > Maybe there no longer is a need to derive wm_t. We would need to > identity why wm_t was derived in the first place. > > Maybe its worth it to make a distinction between X window managers and > Wayland window managers (although its not as simple i guess due to the > Xwayland compatibility layer) > > I guess I will just admit that I don't feel qualified to answer this > question. I just noticed that user_wm_t policy is in Debian/Buster, but I never noticed it because the type label for KDE wasn't setup. > >> There is no unconfined_t in dssp3. there is just "the system" and "the > >> system" is trusted and exempted. This simplifies the policy a great deal > >> since there isn't a number of unconfined domains by default, there is > >> just one trusted context by default (you can still make additional > >> domains unconfined but that is discouraged) > > > > So you have init, getty, and syslogd all running in the same context? > > Stuff that runs in "the system" context (is trusted): > sys.id:sys.role:sys.isid:s0 Why be so different? Why not system_u:system_r:base_sys_t:s0? > 1. systemd --system (pid1) > 2. systemd-tmpfiles --system > 3. dbus --system > 4. default login shells > 5. package managers > 6. unknown system services > > (i might have overlooked some) There is the argument about minimum privs. The minimum privilege extremists want to have things like compilers locked away, I disagree with that as a hostile party probably would have their own binaries ready. But restricting who can run the package manager to install things seems useful, more useful than having 32 different executable types as parts of systemd (not kidding, I ran wc). Most of my refpolicy development time is spent adding rules for extra domains that people have added and for extra systemd features. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/