Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp466410ybg; Fri, 12 Jun 2020 06:22:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwedY7Xi2fDPWAvka+OF8IQC1UVgXrS9wc5ljwCATRWO3MWoAobCr+2giPrjiFSyzvVo8GE X-Received: by 2002:aa7:da14:: with SMTP id r20mr11860792eds.7.1591968140150; Fri, 12 Jun 2020 06:22:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591968140; cv=none; d=google.com; s=arc-20160816; b=FHjlpWGlGrJ2Wsg81bFbd6+Qvc6M7qd9Y6GfNyQn03jZWoqI5VlGHRRvdn4MK4wlBn I+0yHcf0VzS2sB0vBRvZZ1hgbuC3X3IX5QnvtatQH3zad5oUYXL1dkauelN15THXy79O FLoPG8EZydEUJAYBjxJP49VC91cTOl0G3iq/2qMTvt2zqHHtbzZO7O2Q0mTNJ92oHXSa 4aVQBCYzY1UYwTGEF6jfTixYbFZabH07VawDN+CXzsJnXCLp2YbDiskvpa+bZRSgniS3 ZTZoiH9qYSCVPOkdzf4TYmsovPhG/JafrXkdn90nuei6LKXerH3+zf9YulGBKHclrnIF caUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:dkim-signature :dkim-filter; bh=/3BdZ8qiBO49OoVTf99feO3JOC8b8Y3DwPktNhp8VXA=; b=jAElmKRXUFF4buMbperG735IDY/jbndwSc3yRff8vvWxQ2b/pxCiXDNT1w95NY/LAP +g577Facd+0b2CAYovd4R65YgZoK/UJP10FrJ3lpXYpkRSGgy9fnUFwYBU/Ij/eJdIAu vNsRYwKDioOJgD2iluPmfLM3EPq09InuO4kZ241pT2olqYD447vPKuAbs0HwbGzbX0aw Ij+D5ofbprK0tSkRYA8bYcE4Oh520J3aR9eny0fXZzCcYfghfQ9eUF/kMc1YiFI8wgOH AB6Un7SzGmtT6BX6ly8D8/xmE5NAbOEUGiQEad8tU4Pu1wL6hTOeVPCihhYS0TbVlkYT G2BQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="LqLazwy/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o22si3814152ejh.73.2020.06.12.06.22.15; Fri, 12 Jun 2020 06:22:20 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b="LqLazwy/"; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726262AbgFLNUG (ORCPT + 15 others); Fri, 12 Jun 2020 09:20:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726255AbgFLNUG (ORCPT ); Fri, 12 Jun 2020 09:20:06 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id ED146C03E96F for ; Fri, 12 Jun 2020 06:20:05 -0700 (PDT) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id D1F132A0FFA; Fri, 12 Jun 2020 15:20:04 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl D1F132A0FFA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1591968005; bh=/3BdZ8qiBO49OoVTf99feO3JOC8b8Y3DwPktNhp8VXA=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=LqLazwy/m+SRj/1veKne7/3RugnB6iBKPSfW2Xylq2MxGJYb5bj0Q98NuKj/pvvQR pNiOECSM+Is3yNzh++LoTtCuKP0Uh8LJL7cQel0IlduXc/Ac6RZYSZkn+YoNh7huAH ZPhMwdhZAWHqqy2bE8Ht3wZl5KNRJmZmfRe+nm2k= From: Dominick Grift To: Russell Coker Cc: refpolicy Subject: Re: Are we on the wrong track? References: <3243717.6S2XvbbdUs@liv> <11621688.XNj53QmPYG@liv> <3403154.DDNKOWLi4p@liv> Date: Fri, 12 Jun 2020 15:20:00 +0200 In-Reply-To: <3403154.DDNKOWLi4p@liv> (Russell Coker's message of "Fri, 12 Jun 2020 22:53:33 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > On Friday, 12 June 2020 10:26:35 PM AEST Dominick Grift wrote: >> Russell Coker writes: >> > On Friday, 12 June 2020 8:15:34 PM AEST Dominick Grift wrote: >> >> What was the main part of your message than? The complexity involved >> >> with removing modules you do not need in any given configuration? >> > >> > The difficulty in managing it all and the limited benefit in trying to do >> > it. >> Yes, Its a bit easier with CIL policy and maybe could even be automated >> in an environment that leverages CIL (although not sure if that would be >> worth the overhead) > > What exactly are you saying could be automated? Its not practical but consider this: After every semodule transaction, code is run that looks at the cil filecons in the module store. if none of the filecons exist on the system the module gets marked disabled and is not compiled/loaded. You could i guess implement a similar trigger in the package manager that whenever you do a transaction it runs that same code to determine which modules are applicable and compile those in, disable the remainder. In practice that would be a pretty hefty operation, so might not be feasible to do this all the time .... > >> >> >> I suppose it's a generic domain for window managers. It originates >> >> >> from the metacity day's Things changed quite a bit since then (think >> >> >> wayland compositors) >> >> > >> >> > Are you saying we should remove the staff_wm_t? >> >> >> >> I am just sharing my knowledge. I will leave that decision to others. >> > >> > To know how something it works is to know whether it works well enough or >> > should be improved. >> >> I think its subjective. >> >> Maybe there no longer is a need to derive wm_t. We would need to >> identity why wm_t was derived in the first place. >> >> Maybe its worth it to make a distinction between X window managers and >> Wayland window managers (although its not as simple i guess due to the >> Xwayland compatibility layer) >> >> I guess I will just admit that I don't feel qualified to answer this >> question. > > I just noticed that user_wm_t policy is in Debian/Buster, but I never noticed > it because the type label for KDE wasn't setup. > >> >> There is no unconfined_t in dssp3. there is just "the system" and "the >> >> system" is trusted and exempted. This simplifies the policy a great deal >> >> since there isn't a number of unconfined domains by default, there is >> >> just one trusted context by default (you can still make additional >> >> domains unconfined but that is discouraged) >> > >> > So you have init, getty, and syslogd all running in the same context? >> >> Stuff that runs in "the system" context (is trusted): >> sys.id:sys.role:sys.isid:s0 > > Why be so different? Why not system_u:system_r:base_sys_t:s0? DSSP3 is a research project into leveraging CIL. CIL namespaces are therefore leveraged to the fullest. (not to mention that they rock) > >> 1. systemd --system (pid1) >> 2. systemd-tmpfiles --system >> 3. dbus --system >> 4. default login shells >> 5. package managers >> 6. unknown system services >> >> (i might have overlooked some) > > There is the argument about minimum privs. The minimum privilege extremists > want to have things like compilers locked away, I disagree with that as a > hostile party probably would have their own binaries ready. But restricting > who can run the package manager to install things seems useful, more useful > than having 32 different executable types as parts of systemd (not kidding, I > ran wc). I would agree that one should not install a compiler unless really needed. Defense in depth and all. As for the package manager: yes but you have to see this in context. I do leverage confined shells, and confined login shells as well. So even though by default all users can run the package manager, that is obviously not encouraged. One should instead at least use confined login shells for unpriv users. In DSSP3 is also confines most of the individual systemd components (even the clients for confined shells). systemd can leverage polkit (i am not a big fan of polkit) and DSSP3 supports that scenario as well. Thats actually one of the relatively few ascpects targeted in DSSP3.... DSSP3 is open by default (but looks deceive) on the other side it allows one locks it down quite a bit. It is just not treating the owner as a child. DSSP3 is a policy that "just works (most of the time)" for reactive users, and provides a nice framework to work with for proactive users. Theres really quite a bit of contrast there, some of it might not make a whole lot of sense to you. Then again, i do this for fun and dssp3 is a research project into leveraging CIL, and just a toy to tinker with. > > Most of my refpolicy development time is spent adding rules for extra domains > that people have added and for extra systemd features. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift