From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 25 Mar 2010 11:46:03 -0400 Subject: [refpolicy] user vs unconfined In-Reply-To: <201003231316.13176.russell@coker.com.au> References: <201003091314.03493.russell@coker.com.au> <1268143101.4155.117.camel@gorn.columbia.tresys.com> <201003231316.13176.russell@coker.com.au> Message-ID: <1269531963.565.96.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2010-03-23 at 13:16 +1100, Russell Coker wrote: > On Wed, 10 Mar 2010, "Christopher J. PeBenito" wrote: > > Since all of the derived types encoded the role into the type, eg > > user_home_t vs staff_home_t, the original idea was to use the role to do > > the separating, via constraints. Then the duplicated TE rules would > > fall out, because everything would merged into user_home_t, ssh_home_t, > > mozilla_t, etc. > > > > Unfortunately, the RBAC isn't complete, so role transitions wouldn't > > work on directories (i.e. it requires a kernel change). > > Why hasn't the kernel change been implemented? No particular reason. No one has gotten around to it. > I know it would be a moderate > amount of work to get role transitions on creation under /tmp and role > comparisons with absolute role names (as well as the current role dominance). > But surely this sort of thing was always the plan. > > My suggestion of removing ":object_r" from file contexts as an optimisation > for storage space (and sometimes performance) was rejected for a reason. > > > This means that if an unconfined user has bad Unix permissions on their > > > home directory then user_t can replace a file that will be executed and > > > therefore gain unconfined_t access. > > > > > > So is there any benefit in using user_t in such a scheme? If there isn't > > > a benefit, and as almost all users of the Fedora policy will only use > > > unconfined_t for user sessions > > > > Dan turned off UBAC in Fedora. Before we implemented UBAC, he was > > already merging the derived types. > > Fedora 12 now has a admin_home_t. So it seems that admin_home_t has just > replaced sysadm_home_t and unconfined_home_t. > > Something like admin_home_t is necessary to stop system processes that access > home directories (such as procmail) from messing with files under /root. > Said daemons will be running with system_u and thus not be restricted with > ubac. I think the correct thing to do in procmail's case is to make a maildir_t or the like. Then procmail can only write to the maildir, if its in the user's home directory. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150