Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1227334ybh; Sun, 19 Jul 2020 12:30:21 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNzRsLonyZTkXZ+SpMneLHSPkue5hAHLAsty3QHQX2cPs8T7P+Xi9owSy7rmgChTyZWeWT X-Received: by 2002:a17:906:6606:: with SMTP id b6mr18621256ejp.102.1595187021262; Sun, 19 Jul 2020 12:30:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595187021; cv=none; d=google.com; s=arc-20160816; b=Mjv6jDJ9UurNG7xyQH7+Z2Mh02vwVq5ETFZCoYpEkF3jrW9E4bMsNWkiW7OfDzEGe6 /+BLd5fi6cxzLieHEs1pBLux+Vz0it900zWvxHtOdbtrv30Seph3WYekfdhQjUHKfZ0k Dj1qZKkRClvk+xx6bwMXrwMff1ZpkqgLy9KC/cLVq20hnKrKKZUT4633sjj4hm6K5M0+ a6LkZ0Ajd4+MCXd/tSzkP9i8JdNxLNTacGy0JNQ259SFLPGTqnuY2lwsgnBrDi+fWVxB WKQIrLxXLI6Cber+jI4OacXzPTKr5WcxBGOH6JYQCIINgLlY71sZEmQKTeQZDcdLXyNq tsaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:subject:autocrypt:references:cc:to:from:dkim-signature; bh=VwXV296aclf75u9NFITj7waZ/jk1KlSQvgKfsbBDbe4=; b=gl2SOZSa0MoUSzaOwgsHmXTB1zs/EJDr1/neTMXazQoKZCKTeSO9KNyDuUPk3lY4l6 wAv+IHnMf13xYRNnXXNZLNoGcB+eGzW+9fh3VnBswNKtsQzqZd5jLdpYmyQWRbIVdbBk LHF7swnKd/ef6v2WeSWpS16CCxfzg2fVIQDHTpMtcMgEYLp1FPSFCOz9HK7han8OGRVR YC7YZyFRBploT/NwQejrT3KWJNwNDaAzIeVgsL48vXDBKDlalN/sd1fLifn9U1T++3be pXuhAyz8uwi74RLWXmo2KNsx2DiL6viXQGACzc0njH/QGzMi3iHswVcB6u+R7ktVQmzV py5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=reXjukEx; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k19si8649193eji.419.2020.07.19.12.30.15; Sun, 19 Jul 2020 12:30:21 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@googlemail.com header.s=20161025 header.b=reXjukEx; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726085AbgGST3i (ORCPT + 15 others); Sun, 19 Jul 2020 15:29:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726073AbgGST3h (ORCPT ); Sun, 19 Jul 2020 15:29:37 -0400 Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8620CC0619D2 for ; Sun, 19 Jul 2020 12:29:37 -0700 (PDT) Received: by mail-wm1-x330.google.com with SMTP id l2so23179533wmf.0 for ; Sun, 19 Jul 2020 12:29:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:cc:references:autocrypt:subject:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=VwXV296aclf75u9NFITj7waZ/jk1KlSQvgKfsbBDbe4=; b=reXjukExsVdwpohDGzNNnAJVmiLFh7ulfG31M6h7UgrdmOcohCLP9GciUxmoysDZRt Q46Q3q09bnJZNChvEPtuL5n+2vhburcY4Th5nMNcb64WIUjiJqSehTzIQN7PsIVWWHA1 0npm+WNo+qdn0I2iUpCa8bTYgPbI0nkjMdzFcNXUMnri5lvm7rjKdZvdcjlJpILA9buH ytT4ksYU/B3OxQaedNqced1O/wu9uSRVHlvV/Psq6y04NL+NQ2edDGnHGnqjbuYUt68t hgz/upA8UHyWt8OQZEkoQ7Ot6kiuzskQ/IHxgCNHkCJrBNw1Ge/hu4EEU0r/jl6mcvtc W00g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:autocrypt:subject :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=VwXV296aclf75u9NFITj7waZ/jk1KlSQvgKfsbBDbe4=; b=c/WQ6sFHriZlIXxM52tVdqUO/c9+Ava7NH/Ho1+YAYkZk8lFA2eCnAXa1Q8lJvvqgp DtXZNxxlodzAvQI7+L61pIa7hypM+ybpGNEh9rYLyXo4dzi+fWkU5oS8Z3S4zdg5nvO/ f5nGBUNC9T36DSRamC4sQ9epRBGEn9YReNjI5WRvXZVeYGQDMxnNZv2bcmNrCAHaOLaW MquB1TqZ5iDfyIx8Zs0o+zR8BzmJ7bHf+LpXdg1rL9qe3vDOpwUmjiodGFkBmEDU5XKr BoqwdaGizNX4w7BZOmwD8Dg+VyWJTAT90JqY3hpwquOb1biqmOACag006ZJuQbWBzDuH fCRA== X-Gm-Message-State: AOAM531CjyPfdOG9b002R1NfN0W8kAOz8xu0gI0METvnAzVBDvJjYro1 zYE8jgz1rnK8eCsuPJb+x46bAFtc X-Received: by 2002:a1c:f60d:: with SMTP id w13mr19456166wmc.51.1595186975716; Sun, 19 Jul 2020 12:29:35 -0700 (PDT) Received: from ?IPv6:2a02:810d:4bc0:8098:a226:5056:b008:9621? ([2a02:810d:4bc0:8098:a226:5056:b008:9621]) by smtp.gmail.com with ESMTPSA id t14sm16079055wrv.14.2020.07.19.12.29.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 19 Jul 2020 12:29:34 -0700 (PDT) From: bauen1 X-Google-Original-From: bauen1 To: Chris PeBenito , bauen1 Cc: selinux-refpolicy@vger.kernel.org References: <3243717.6S2XvbbdUs@liv> <578d7c7c-cb41-b224-2758-144aa9b5c1ad@ieee.org> <2469682.qIgoumM3a6@liv> Autocrypt: addr=j2468h@gmail.com; keydata= mQINBFhYO0UBEADB9FOvBFPceReJkioc/Wpgb+4jquqgLaYFCq30wMRlbbxRE6W5piQdJBS9 1nHgehc1wKlpoX34I0fDYKmzhxU/wn7kPQqyIJ/x4Xc0un8rgLr6AB9J45+xYDAjTEP6wfzA DyCokyypi7knVSraYAUgmgBk+jEB/B1VpUxsE6X/tilqOLyPEkDX4dKUR/J2nPyfir3pYRFs siohNGbTOmwzwkA+rZClsUl9hO5n3oGAl3gJ352wIDJTDPd0YvyCTrHRpSTP9msKrFh3rILL aNgUNBr44QurGvxDuIrX6CIyqWUKO1tdnA1XOqsZDTEAa7IL6K7yoYRIzGZ+HmxemBhE/dxW qe4+nSru1QoucSNP6xa8F2HLeqvypD+xGerR4MELkBwa2XiGvS5OwF3XjevWcLQDztlXE1cW hK6fnK8XiXNcffG8YIhStSoW3dH3twPpEduqDAooLaCznxfNZFNcRU7iaoAk30xLv885jjga /FKs+jwlkzX/Xf6gvaLZhyIuF7x5yMFYZYKl/kA0XfY9x/d9YJe9MeBE5USZnssSGCgZXSt8 +tikDjEWAw43ANOG5Au/4wEoMI9eQmRRrQ9AfIb6MS1irfUwU0yGgHCkFX7nN54+2Zunvy9u YBk55oGh1MbVlIU/rEs+te0Syb8faX53oAMFPljqnqtS71AOLQARAQABtBliYXVlbjEgPGoy NDY4aEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEE XtbYJqzUP47Z1Puy/wqvXggSupwFAl6R95kFCQgZO9sACgkQ/wqvXggSupxmvBAAuf5OKd70 GGvwtg0IF0oZ5/ZomZuj/ULJo2wYXIfuWd6TVmJSPyGaWxkVZu+C4rQc43bCXigF9m7Ab8Sr 7PH5O3ZKbrYiFwgASjL62osCleoEeUBWOnXquB/SfA//KumtUeNfGoMv45xlP3YiEEqYtYLd Q1JWtkdxbf2n2fxhD25YUheZvRxZPCMnOZ0t8OVHmiq2G9go935UW96ogp5TuT/VmRFTd5+L nWKNOmXh6kLTwkc5pbYX+6DagNI0b8b9AwNInZ7A4Dc3tKR5cdb4FtJ6d4UZgq9l7sSbP38j P7LXBHU1JBmALomN1WD1jtLJa1i19BTscuxvtlfVYyNw1WJVERFQYMR0EBonv1jDIjpNIz+Q I4Ectri3Ac0d4FTB2wb7SHShZq+pYe1+jNiGaayaL14CvapGar1mTfEYnA1JMhhM5Vd/myRx mxUvred8BVijHgLWPSLX4FOaNDyQzgqBMkF/nugfDpqqIU/pxQ65AjVDnmxUFxNrWbeMYxUx rUgS9c+k7840Z8BHr8Cd0DfzJRv7k5YfSjK5POLB+rWf6ibL9Mg1QzxGRFZRWnQTrtLSH9dy RG27cUX7fn43onkRkB8TSlAovDpP/jnk52TL44s05acvw2rEOa4/ygU53Pud8i2870naMaHu n7ZHUJrGZ0BcCGwQ98HsSRm06BC5Ag0EWFg7RQEQANuS3Qmbp63gCD7WHWWedBAY5t/FVrPR mf426pq2xAbms1WBHUeQB9r7F4fUMBFU03WNk8JWi4nSl8p0z4rZaZD1TEsenbYx2IohTxi0 qtZ/eaTydVzPfBIY3awBxaS3GuV8xUgR/8VdJATpEUF2BnDKGihXBl9pPM8l46vG6HsqWpeZ /hw/zwaGi8cSXY6PlFRL/fcpiGLR5RefH5VhDwZ5YrwDCYNhWYDKXL++IkDja0NW3s2yRUJM bRib0r8hq87lA7N+HHwgOOYd/sJbCZObZzL/n+lR+VTHLxGmJHbk+JRdagFH1l+x+Vp1zhVM XJDUci7Wcx/kCzCWu08t5t4Lef7rWvYJCf9JQaKJQcKyXr6ky3d4mYfV8AcA/9fat9NzQB6e 7cHw8yOc/1e4xN/h3cGNLWiGb8HCAR0SH22Gb2epyfq+txdn3cwm2ot2lhOXK3l48T081x/q kWOw86ig9dIVxi0RUv3CUaV0/N4SVumVD3GwzMSI0rfwuUb7tOqMGQFxe/k9Fc9uFPP7LfTe ZTOayuZg9oHO6Ju3x+KSXPwYcXAfuy0elZQPyqMZwshC3l1sfwG7Di+98sPzsbVUm9eTjTfN x2r7N/a958W0h+1SuE172qfuabLu8vMMWIuo8RaQG/OVF2bRR8yEPSyUTqS7Aj2osSX5CFB/ 4TVLABEBAAGJAjwEGAEKACYCGwwWIQRe1tgmrNQ/jtnU+7L/Cq9eCBK6nAUCXpH3lAUJCBk7 2wAKCRD/Cq9eCBK6nIS9EACIMM/w9yai6OzWr/8yGAFvTGb3eAXTt0W1af2u0wuKpZwLT6mb lSdmy+6Unw0g5V/pa9ckKor4qzz+Bt8TAyV/bTvcdT8UrTOLmYOnD9EzaQ4HmgDK84Tsvlix 0JgAh62udn9obUvId5m/HaKKTg0zwP/RWS+L8kr9kDWPf3la4DPQ8Ni2wyIcwXyKdi0Fasl4 fO4jEEM00XZPFwin5yfAU42fmePKt9dtFd6jxOV9WjeyMTaxYr85viXo9YI1tvvErDMmqCjl uw+cAXP0bTKd4CAXTZ6lEUemPBo1A/UE2rxh+BOgfkKtZWxmOdiRj58n6F1lTKArS09DxNCP piqv8vG6cp+C5I7+XQSy8L21e5ZWCqBH5t/PXFFS8zoCS+OB0sdMfK6ytLA3U1e7UoOdC8cp la3N25xMXged7+1Dr3xliQKIDNAi/Y5EWCokshhwSoFTbcZoJyjo35HLQnQFcYXA14R/B3hd WA31VJlJxdzof4SuMElt4mAoaPzEkQovYzRU8+AKdk0gqjXth3BABvT403wj8Dt2Y73H1JaI 1gJO/cb9LHsB6DkhbQQZ5Dtir+L6t5Fy7u74xb7XDu4gXTJcE3zRSZJUy9dplxXLBj2s8S8v QatWOE7bzVfc5o1YqTJcchLqRbMDoKRPaf+GAmldrTM02RAJtebsBcauurkCDQRYWDtFARAA 25LdCZunreAIPtYdZZ50EBjm38VWs9GZ/jbqmrbEBuazVYEdR5AH2vsXh9QwEVTTdY2TwlaL idKXynTPitlpkPVMSx6dtjHYiiFPGLSq1n95pPJ1XM98EhjdrAHFpLca5XzFSBH/xV0kBOkR QXYGcMoaKFcGX2k8zyXjq8boeypal5n+HD/PBoaLxxJdjo+UVEv99ymIYtHlF58flWEPBnli vAMJg2FZgMpcv74iQONrQ1bezbJFQkxtGJvSvyGrzuUDs34cfCA45h3+wlsJk5tnMv+f6VH5 VMcvEaYkduT4lF1qAUfWX7H5WnXOFUxckNRyLtZzH+QLMJa7Ty3m3gt5/uta9gkJ/0lBoolB wrJevqTLd3iZh9XwBwD/19q303NAHp7twfDzI5z/V7jE3+HdwY0taIZvwcIBHRIfbYZvZ6nJ +r63F2fdzCbai3aWE5creXjxPTzXH+qRY7DzqKD10hXGLRFS/cJRpXT83hJW6ZUPcbDMxIjS t/C5Rvu06owZAXF7+T0Vz24U8/st9N5lM5rK5mD2gc7om7fH4pJc/BhxcB+7LR6VlA/KoxnC yELeXWx/AbsOL73yw/OxtVSb15ONN83Havs39r3nxbSH7VK4TXvap+5psu7y8wxYi6jxFpAb 85UXZtFHzIQ9LJROpLsCPaixJfkIUH/hNUsAEQEAAYkCPAQYAQoAJgIbDBYhBF7W2Cas1D+O 2dT7sv8Kr14IErqcBQJekfeUBQkIGTvbAAoJEP8Kr14IErqchL0QAIgwz/D3JqLo7Nav/zIY AW9MZvd4BdO3RbVp/a7TC4qlnAtPqZuVJ2bL7pSfDSDlX+lr1yQqivirPP4G3xMDJX9tO9x1 PxStM4uZg6cP0TNpDgeaAMrzhOy+WLHQmACHra52f2htS8h3mb8doopODTPA/9FZL4vySv2Q NY9/eVrgM9Dw2LbDIhzBfIp2LQVqyXh87iMQQzTRdk8XCKfnJ8BTjZ+Z48q3120V3qPE5X1a N7IxNrFivzm+Jej1gjW2+8SsMyaoKOW7D5wBc/RtMp3gIBdNnqURR6Y8GjUD9QTavGH4E6B+ Qq1lbGY52JGPnyfoXWVMoCtLT0PE0I+mKq/y8bpyn4Lkjv5dBLLwvbV7llYKoEfm389cUVLz OgJL44HSx0x8rrK0sDdTV7tSg50LxymVrc3bnExeB53v7UOvfGWJAogM0CL9jkRYKiSyGHBK gVNtxmgnKOjfkctCdAVxhcDXhH8HeF1YDfVUmUnF3Oh/hK4wSW3iYCho/MSRCi9jNFTz4Ap2 TSCqNe2HcEAG9PjTfCPwO3ZjvcfUlojWAk79xv0sewHoOSFtBBnkO2Kv4vq3kXLu7vjFvtcO 7iBdMlwTfNFJklTL12mXFcsGPazxLy9Bq1Y4TtvNV9zmjVipMlxyEupFswOgpE9p/4YCaV2t MzTZEAm15uwFxq66 Subject: Re: Are we on the wrong track? Message-ID: <03249797-9067-34f1-c4ec-39f163fb9042@gmail.com> Date: Sun, 19 Jul 2020 21:29:32 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi, On 7/16/20 4:09 PM, Chris PeBenito wrote: > I realized that I missed this. > > On 6/12/20 10:03 AM, bauen1 wrote: >> Hi, >> >> I also agree with most things already said. >> >> I would like to add that the way documentation is currently handled >> involves too much copy + paste of almost meaningless descriptions, but I >> haven't found a very good alternative either. (maybe adding a type >> attribute to the param xml and generating a summary based on that could >> work in the most common cases) > > The original intent with the XML-based docs was for tools to use (see policy.xml).  As far as I know, the only tool that ever used it is long-dead (SLIDE).  If we can come up with with a better solution that doesn't rule-out the potential for tools, I'd be fine with that.  It may go better with a proper HLL and named interface parameters. > >> On 6/12/20 3:02 PM, Russell Coker wrote: >>> Does staff_r even make sense when you could just use >>>>> different MCS categories for different users? >>>> Yes, as user_r cannot reach admin roles whereas staff_r can. >>> The user identity has a permitted list of roles, you can have users who are >>> permitted user_r and sysadm_r and users who are only permitted user_r.  The >>> original benefit of staff_r was to protect staff from attacks by user_r >>> accounts, but we can do that protection with the identity based constraints. >> >> I would propose replacing user based constraints with role based >> constraints: >> The user part of the context (normally) doesn't change after login, this >> means that files edited by a staff_u user become inaccessible by anyone >> else, even if sudo is used to change to staff_u:sysadm_r:sysadm_t, but >> reducing the user based constraints for staff_u is undesirable. > > This behavior depends on the type of the file. If you end up with a staff_u:object_r:etc_t context, the user separations don't apply since this is not a user file. I'll have to take another look at it then. > We used to have role based separations but it was encoded into the TE rules and generated an enormous amount of rule duplication.  There are some remaining examples of this, e.g. in the su and sudo policies (staff_su_t, sysadm_su_t). There are cases where these will still be necessary, mainly when type transitions to the user type are required, but some could be eliminated. > When the default_* statements were implemented I started to reimplement the role-based separations using the role, but then I lost the work before I finished.  I don't think it is too involved, since it may be as simple copying the UBAC infrastructure and tweaking it to work on roles. I've also worked on implementing RBAC and RBACSEP for refpolicy (A bit messy: https://github.com/bauen1/refpolicy/tree/rbac) . If this becomes a goal to implement, perhaps https://github.com/SELinuxProject/refpolicy/pull/203 could be merged first. In my CIL policy (https://gitlab.com/bauen1/bauen1-policy/) I use RBAC/RBACSEP and share the types for the generic desktop user between roles, so `user_u:user_r:user_t` becomes `user.user:user.role:user.type` and `staff_u:staff_r:staff_t` becomes `staff.user:staff.role:user.type`. When different permissions and type transitions are necessary "derived" types are used, e.g. for `sysadm.user:sysadm.role:sysadm.type`. This can reduce the amount of types and type enforcement rules by a lot when declaring multiple users that all share the same type rules (but maybe have additional roles). I'm not sure how well this works in practice yet. -- bauen1 https://dn42.bauen1.xyz/