Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1245717ybh; Thu, 16 Jul 2020 07:09:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4rsrsXzuDfJ391rq43H3aM5WZVBRxriC0yGjkMiOfeaOXQMIAp+b7AlFwBlo7n3uFPQE7 X-Received: by 2002:a17:906:add3:: with SMTP id lb19mr3817790ejb.304.1594908582315; Thu, 16 Jul 2020 07:09:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594908582; cv=none; d=google.com; s=arc-20160816; b=SPkqYp6j3n8ikbyVXXWJou8DYQ/Qjnhy6rgZ1oOuPK9NM5mRMODPHsgmqmYHJSS9Rf YogOedsddeMBuDJJce3n/3XK2CRbhG0uClslhXRqAMvKUEs/DEJQ8HRHdUaakCFqWhcN 5nGOBLEz9shiIZ2ublKj04xm5ANt9G/7+Sm+ltpeqaWnzCmEkzj9vgY8YXUMdJgtiW3s VtWbT0H0Ne4+KJftdoL9uh0oXoYHy/EPvssuumtZxUsOkIPmpfXPkjCA2onpWSf1yzSd 2SsBpIQubxzCIuAoU4db+Vl+UGTxKGEhKlr3LZLwLomfBNDYDGwWEA74S0O5bf0amvNO orTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=bJeEeqe/m8kmUat+xC89A1h5wvMa4Af4P9ifd4iczaM=; b=yMSdfVTJrIK3SqHNOo8JisZR0oAKY6xj7OeURad94NPTtRB+3LsGYlWDEb7hXw3ClD xFUQ9LlBmwh4TMaBvDuS6RPg8YnZCzoQBYCN0/r2v7QG1yeKlleRYxB1HHYh13W9z+eF Ugn1Ie75PI+S0gA6p1VUO3ptsatRarsgdC0iq/F2IT3iMp5Pm1uqJVWRGxTAsK9pzpUX VGEM11E5Scs0bjZeedK5TvGMWqAFeCu2XW7lcKZMSMiXpoZxPqhMxRJwou+nTh9/qOsk oni9DYd0XpKc8ebKm9mtn0aO1ZGXH5IkWNd8rHOnOI7rZzJitTfXeJIW6Gfh2lhSVrrM FzJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=VOn3NUj1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 18si4145729edv.191.2020.07.16.07.09.37; Thu, 16 Jul 2020 07:09:42 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=VOn3NUj1; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728362AbgGPOJf (ORCPT + 15 others); Thu, 16 Jul 2020 10:09:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44628 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727044AbgGPOJe (ORCPT ); Thu, 16 Jul 2020 10:09:34 -0400 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C485C061755 for ; Thu, 16 Jul 2020 07:09:34 -0700 (PDT) Received: by mail-qt1-x82d.google.com with SMTP id b25so4965548qto.2 for ; Thu, 16 Jul 2020 07:09:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=bJeEeqe/m8kmUat+xC89A1h5wvMa4Af4P9ifd4iczaM=; b=VOn3NUj1GFwJylSZnpNhtdsSklrz2g5KtsjyTJ/Bx2463q2zZrCLAw7G/dUShw/PHR bLyNsmpkuyzTV4DLhesSTruS4fA191Tp5NUd2QWpueyR+bKx5x4/I9D+nfzzmpCEs8B5 SBSQmHRTr6Ct9GpkqI+POgbZBKboc6E0nJRAI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bJeEeqe/m8kmUat+xC89A1h5wvMa4Af4P9ifd4iczaM=; b=qzFZlNtWZFKCpHzy/hONInMZhfxSYZLluK2vRY53FuobvzPJLb4aj4+d4wjWls7m9x GdeUddF7LoLQC6rQCbyBan+m9a+l3hFRpdVMajlpCBPVOJaotGbBNmDtm8BQ5mZ3W5yc ONRtQAFnaGLJvibgJdDYw1Lkv/cVM7f9UfXrKMm1uEj9ncaMsJDCcwCixJ+qkYqWJiyJ bxz2nkEDIEjLtdwJoP7Yz8qZ74SBwWb3ZBY2G633FbMhdcpE1ip7mP3LTPyjWcdYnFzF sAqVii5Pm+w49THJuCH5v4rKSZSRib9G9CDDo3HUIY+E7tikHVnXyZeQYCXahLMzCX67 bz2A== X-Gm-Message-State: AOAM533o1U6jhE3VSA0P6cryXPNRkBlTchvOa7DQ3VCq90adgCtArEu0 tV86kb1fiNoVhrHblJZV+ntl90MTaSk= X-Received: by 2002:ac8:441a:: with SMTP id j26mr5257879qtn.191.1594908573208; Thu, 16 Jul 2020 07:09:33 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id q28sm8620878qtk.13.2020.07.16.07.09.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 16 Jul 2020 07:09:32 -0700 (PDT) Subject: Re: Are we on the wrong track? To: bauen1 Cc: selinux-refpolicy@vger.kernel.org References: <3243717.6S2XvbbdUs@liv> <578d7c7c-cb41-b224-2758-144aa9b5c1ad@ieee.org> <2469682.qIgoumM3a6@liv> From: Chris PeBenito Message-ID: Date: Thu, 16 Jul 2020 10:09:31 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I realized that I missed this. On 6/12/20 10:03 AM, bauen1 wrote: > Hi, > > I also agree with most things already said. > > I would like to add that the way documentation is currently handled > involves too much copy + paste of almost meaningless descriptions, but I > haven't found a very good alternative either. (maybe adding a type > attribute to the param xml and generating a summary based on that could > work in the most common cases) The original intent with the XML-based docs was for tools to use (see policy.xml). As far as I know, the only tool that ever used it is long-dead (SLIDE). If we can come up with with a better solution that doesn't rule-out the potential for tools, I'd be fine with that. It may go better with a proper HLL and named interface parameters. > On 6/12/20 3:02 PM, Russell Coker wrote: >> Does staff_r even make sense when you could just use >>>> different MCS categories for different users? >>> Yes, as user_r cannot reach admin roles whereas staff_r can. >> The user identity has a permitted list of roles, you can have users who are >> permitted user_r and sysadm_r and users who are only permitted user_r. The >> original benefit of staff_r was to protect staff from attacks by user_r >> accounts, but we can do that protection with the identity based constraints. > > I would propose replacing user based constraints with role based > constraints: > The user part of the context (normally) doesn't change after login, this > means that files edited by a staff_u user become inaccessible by anyone > else, even if sudo is used to change to staff_u:sysadm_r:sysadm_t, but > reducing the user based constraints for staff_u is undesirable. This behavior depends on the type of the file. If you end up with a staff_u:object_r:etc_t context, the user separations don't apply since this is not a user file. We used to have role based separations but it was encoded into the TE rules and generated an enormous amount of rule duplication. There are some remaining examples of this, e.g. in the su and sudo policies (staff_su_t, sysadm_su_t). When the default_* statements were implemented I started to reimplement the role-based separations using the role, but then I lost the work before I finished. I don't think it is too involved, since it may be as simple copying the UBAC infrastructure and tweaking it to work on roles. -- Chris PeBenito