From: domg472@gmail.com (Dominick Grift) Date: Sun, 06 Sep 2009 15:16:41 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror In-Reply-To: <200909061422.27551.Nicky726@gmail.com> References: <200909061422.27551.Nicky726@gmail.com> Message-ID: <1252243011.2689.16.camel@notebook1.grift.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 2009-09-06 at 14:22 +0200, Nicky726 wrote: > Hello, > > Dominick Grift wrote: > > > looks like dbus_connect_session_bus() is not (yet) implemented in f11 and > > upstream refpolicy. Basically it facilitates the acquire_svc on user bus. > > You could create it yourself or add the local policy above as a workaround > > until the interface is implemented. > > I'll use the workaround then, and when I have time, I'll try to look at > implementing the interface. > > > The reason that dbus_connect_session_bus is not implemented is that > > confining GUI user apps does not have much priority and it presents some > > complications which minimize the benefits of confined gui user apps. > > Could you write more about those complications which minimize benefits of > confined gui user apps? Or could you reffer me to some article? Well the main objective for using selinux is to prevent privilege escalation. In the the GUI user environment this is hard to prevent fully. Basically because of how desktop enviroments work. For example gnome. If you confine a GUI user app for Gnome than you will run into issues where your program needs to interact with the desktop. Some of those objects get created with the user content type. So that means that your gui must interact with generic user content (user_home_t, user_tmp_t) This is a form of escalation that is not desirable. It would be better if you can restrict your programs so that it cannot interact with user content. because else your program may be able to read/write to user files. Fortunately this issue can be for a large part anticipated by creating a special type for private user files. So that although a program can interact with user_home_t files, it cannot read the special type for example my_private_files_t. Other then that its also a matter of security priorities. I guess many in the community prioritize on restricting root as opposed to unprivileged users. Since compromizing root can lead to a compromized system more easily. However in my view user content is also important to protect because users use computers to store confidenial data etc. So in short, i think we are not quite to the point of confining the user environment. There are some difficulties to overcome like gui desktops and also not everyone agree on the benefits of selinux in the user environment, e.g. it makes operating a system much more complicated/ requires much more maintenance, and it is bug-prone. > Thanx for cooperation, > Ondrej Vadinsky >