2009-09-06 12:22:27

by nicky726

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror

Hello,

Dominick Grift wrote:

> looks like dbus_connect_session_bus() is not (yet) implemented in f11 and
> upstream refpolicy. Basically it facilitates the acquire_svc on user bus.
> You could create it yourself or add the local policy above as a workaround
> until the interface is implemented.

I'll use the workaround then, and when I have time, I'll try to look at
implementing the interface.

> The reason that dbus_connect_session_bus is not implemented is that
> confining GUI user apps does not have much priority and it presents some
> complications which minimize the benefits of confined gui user apps.

Could you write more about those complications which minimize benefits of
confined gui user apps? Or could you reffer me to some article?

Thanx for cooperation,
Ondrej Vadinsky

--
Don`t it always seem to go
That you don`t know what you`ve got
Till it`s gone.

(Joni Mitchell)


2009-09-06 13:16:41

by domg472

[permalink] [raw]
Subject: [refpolicy] Basic policy for KDE and Konqueror

On Sun, 2009-09-06 at 14:22 +0200, Nicky726 wrote:
> Hello,
>
> Dominick Grift wrote:
>
> > looks like dbus_connect_session_bus() is not (yet) implemented in f11 and
> > upstream refpolicy. Basically it facilitates the acquire_svc on user bus.
> > You could create it yourself or add the local policy above as a workaround
> > until the interface is implemented.
>
> I'll use the workaround then, and when I have time, I'll try to look at
> implementing the interface.
>
> > The reason that dbus_connect_session_bus is not implemented is that
> > confining GUI user apps does not have much priority and it presents some
> > complications which minimize the benefits of confined gui user apps.
>
> Could you write more about those complications which minimize benefits of
> confined gui user apps? Or could you reffer me to some article?

Well the main objective for using selinux is to prevent privilege
escalation. In the the GUI user environment this is hard to prevent
fully. Basically because of how desktop enviroments work.

For example gnome. If you confine a GUI user app for Gnome than you will
run into issues where your program needs to interact with the desktop.
Some of those objects get created with the user content type. So that
means that your gui must interact with generic user content
(user_home_t, user_tmp_t) This is a form of escalation that is not
desirable.

It would be better if you can restrict your programs so that it cannot
interact with user content. because else your program may be able to
read/write to user files.

Fortunately this issue can be for a large part anticipated by creating a
special type for private user files. So that although a program can
interact with user_home_t files, it cannot read the special type for
example my_private_files_t.

Other then that its also a matter of security priorities. I guess many
in the community prioritize on restricting root as opposed to
unprivileged users. Since compromizing root can lead to a compromized
system more easily.

However in my view user content is also important to protect because
users use computers to store confidenial data etc.

So in short, i think we are not quite to the point of confining the user
environment. There are some difficulties to overcome like gui desktops
and also not everyone agree on the benefits of selinux in the user
environment, e.g. it makes operating a system much more complicated/
requires much more maintenance, and it is bug-prone.

> Thanx for cooperation,
> Ondrej Vadinsky
>