From: dac.override@gmail.com (Dominick Grift) Date: Wed, 3 Dec 2014 16:39:43 +0100 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <547F168F.2000109@tresys.com> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> <547F168F.2000109@tresys.com> Message-ID: <20141203153942.GA29001@e145.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J. PeBenito wrote: > >> > >> I'm not opposed to this change, but I wonder about cases like these: > >> > >>> + > >>> +optional_policy(` > >>> + asterisk_admin(sysadm_t, sysadm_r) > >>> asterisk_stream_connect(sysadm_t) > >>> ') > >> > >> Since I would assume that the admin interface would already include the > >> existing rule. > > > > Bacula_admin does indeed call _run_admin so i'll take that away, > > asterisk does not call _stream_connect so that one is correct. I will > > I think there is still the question, should the stream connect be added > to the admin interface? > In my opinion where refpolicy went wrong is by allowing confined user domains this low level access in the first place shells do not stream connect, applications do.sysadm is a strict domain and so it should run the app that stream connects in the apps domain with a domain transition if that makes sense. That is strict. Anything else is "drunken unconfined" in my view, or at least a compromise. In my vision confined users should be strictly enforced (least privilege) or at least as much as possible This will inflate the policy in a huge way, i see that. However the policy should be modular anyway. One should only have installed what one needs (which is another things that in practice proves to be currently not working well) Ask yourself do you know anyone that disables modules that he doesnt need when it installs a system? (i tried it once and its a huge pain, i gave up trying. The toolchain (semodule) cant tell you the dependencies, so it just fails an you wont know why or where it fails)) if you run a asterisk server and you want it strict then you should be able to have it strict. But thats where other decisions were made, now we have a huge policy that "tries to do everything, but does nothing right". well its not that dramatic but it is not perfect either (although nothing ever is) In my view a huge policy is not a problem but the policy that is there should at least be applicable. There would be room for compromise though. for example confined admins wouldnt run apps like systemctl with a domain transition because that wouldnt work either, but there should be finer line than there currently is in my view (systemd ctl commands are an exception) -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/462d60a0/attachment.bin