Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp452021ybg; Fri, 12 Jun 2020 06:03:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCP1PTTUrs0CRBxGdQqhsS9cg0GY91iLiP/fB/Rs0dCs3r9JQCzffHvWt4ZUhPkQTdpp6Z X-Received: by 2002:a05:6402:1bde:: with SMTP id ch30mr11855538edb.163.1591967013302; Fri, 12 Jun 2020 06:03:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591967013; cv=none; d=google.com; s=arc-20160816; b=Qy41qXrAQRpR2e1ioG5ZDLo36sSx7Et+D/B8djESCTmT+/+L3Kdbq1oMzc9cZtE/08 LkvVmRKSW7RCOPBJLKMKuAA0GvWNjdCn3YVYGsp2h6idz06574MvsMvnrO01EyHR3yeZ FsF3vuAZi028/H3yeCPL3sS0KfuSs23fbvYykrOEpQm7a6AReMgCuylV2zZ9/J6538u9 ghVFY1hBAkTiS6UhWJr+31QlzQ6eQPEwjwLTMVzPBB+z98a9BhVdVRg5ZOo3ooGrKLNF SGhz0AXkm8SeqdxszSnQTQiqiWclVU/t2tBqBEuH2nNMTzYvsazwUXZVnwWK9joPpdwe DTcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=EJOoB3MM8qyDjG8RS9TYtulCNjprZ5OxD1D+TlWUePI=; b=HnFT0B0qnfVONIJmGPuWoExNp+XDwyH5ey3UdOmoKr06E1oRDMVPqfbI+KuFu7viil C5hdsT4NAIe33/NONSlsVok6b2jaTub1MJ2mtgpIGpcPCTmgUhrRu0/qpJmkyQOCkFhs Jotd4zNRNG/N0zPcSbYkT/r2AbbQAf4TugqxP3WXQD8aOnfiNwcKn8GCNwevd/Uw36PU NaorwSbOvZs51ukI+b5PsfDjoZqTCvVQHIEmFMedl1dqLiAzgL33SV6/q8VLT0y05r9I pqYdMAkvpiEZOK9LjdZUb+aiotlFf3nYijvgFLtamUiEE1v3gd31QugOvf5rhi0sXx+V 1oqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=MSIVU9Td; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g12si3831157ejx.161.2020.06.12.06.03.28; Fri, 12 Jun 2020 06:03:33 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=MSIVU9Td; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726314AbgFLNDI (ORCPT + 15 others); Fri, 12 Jun 2020 09:03:08 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:35912 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726323AbgFLNDF (ORCPT ); Fri, 12 Jun 2020 09:03:05 -0400 Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 998E2EF99; Fri, 12 Jun 2020 23:02:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1591966980; bh=EJOoB3MM8qyDjG8RS9TYtulCNjprZ5OxD1D+TlWUePI=; l=4571; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MSIVU9Td9lAG6xbupxEJFlnX/bh4ArYdxyTjRC0fqHEzKSU0H50EHE2c4AsucRR6S Vt4QFoyDs1eC4sk0j9pdih3r/NmztxMwcD4yHDGkGpmFfnrskXM1xC4/myHCqjgfaQ BLldjNIKVC7gPW+XI8LvYAfYIgwTi9ZAB2jTFNn0= From: Russell Coker To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: Are we on the wrong track? Date: Fri, 12 Jun 2020 23:02:55 +1000 Message-ID: <2469682.qIgoumM3a6@liv> In-Reply-To: <578d7c7c-cb41-b224-2758-144aa9b5c1ad@ieee.org> References: <3243717.6S2XvbbdUs@liv> <578d7c7c-cb41-b224-2758-144aa9b5c1ad@ieee.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Friday, 12 June 2020 10:52:56 PM AEST Chris PeBenito wrote: > > In recent policy we have 6 different domains for systemd-generators. What > > benefit are we expecting to get from this? Are we anticipating that one > > generator will attack another? How would having separate domains for > > generators do any good when there's no restriction on the contents of the > > files they generate and nothing to prevent one generator from creating a > > file of the name that another generator is expected to create? Is it > > even reasonable to expect that a program that can create a systemd unit > > file with arbitrary content (IE being able to start any daemon with > > arbitrary configuration and command-line parameters) would be unable to > > exploit that for unrestricted root access? > > I find this a valid criticism and reason enough to at least collapse them > into a single domain. The original intent was to constrain the special > access they use, but you are correct, a compromised generator could do > mostly do all the bad things anyway since it can write unit files. OK, I'll submit a patch for that. > > We have a new set of domains, user_wm_t, staff_wm_t, etc. What is that > > for? Is someone using the X controls and in need of a privileged window > > manager domain to manage the clipboard etc? > > Yes. > > > Why is staff_wm_t needed when we no > > > > longer have staff_gpg_t? > > Sounds like a gpg change that should be reverted. I had some of that in the Debian policy, it's a pain to maintain. > > Does staff_r even make sense when you could just use > > > > different MCS categories for different users? > > Yes, as user_r cannot reach admin roles whereas staff_r can. The user identity has a permitted list of roles, you can have users who are permitted user_r and sysadm_r and users who are only permitted user_r. The original benefit of staff_r was to protect staff from attacks by user_r accounts, but we can do that protection with the identity based constraints. > > We have one games_t domain for games which were packaged by the > > distribution. Is this possible to give a useful benefit given that they > > some games the same XDG config directories as more important things. If > > a game has the file access needed to grab passwords from your MUA and > > network access to send them out then is there a real benefit in having a > > separate domain for it? As an aside I think that the ideal thing to do > > would be to have a SETGID program to manage passwords for email etc that > > prevents the user from accessing them, it could then proxy IMAP/SMTP > > connections so the MUA never knows the real passwords. > > I'm a bit hazy on the details you're referring to but you're right that > games_t may not be too impactful. Dominick's flatpak/sandbox/container > approach may make more sense. I don't have any recent Linux gaming > experience (with Steam or otherwise) to judge. Experience playing games isn't really required. The situation is we have games_t assigned to a bunch of programs that come from the distribution and therefore meet certain minimum quality checks (which probably give the binaries in question a range of integrity that overlaps the contents of /usr/ sbin). We also have games downloaded from steam which don't have source available and can't be reviewed for quality. Also steam games are probably going to need DRI access which makes it extra exciting. > > We have special *_cronjob_t domains which in systems that use them (IE not > > Debian) seem to give the potential for nothing but confusion. The general > > expectation is that anything which can run as a user login session can > > also > > run as a cron job. What benefit is this expected to provide? > > I'd be fine dropping the instantiaton of *_cronjob_t (except > system_cronjob_t) but not removal of the template, for the few instances > that users need it. > > My question to you is why aren't you commenting on these changes as they are > submitted, instead of unloading on the changes years after the fact? > You've been around the SELinux community longer than I have. These changes > aren't merged in secrecy. I have commented on some of these things in the past (I rejected *_cronjob_t for Debian). We can deal with some inefficiency, but it builds up and now is at the stage where I think we have to revisit some assumptions that were made years ago. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/