From: dac.override@gmail.com (Dominick Grift) Date: Wed, 3 Dec 2014 16:55:22 +0100 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <547F314A.3070408@tresys.com> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> <547F168F.2000109@tresys.com> <1417616847.29096.1.camel@joe.localdomain> <547F2FF5.1000509@tresys.com> <547F314A.3070408@tresys.com> Message-ID: <20141203155521.GD29001@e145.network2> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Dec 03, 2014 at 10:50:34AM -0500, Christopher J. PeBenito wrote: > On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote: > > On 12/3/2014 10:29 AM, Jason Zaman wrote: > >> > >> On 3 Dec 2014 18:27, "Dominick Grift" >> > wrote: > >>> > >>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote: > >>>> On 12/3/2014 8:42 AM, Jason Zaman wrote: > >>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito > >> wrote: > >>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote: > >>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This > >>>>>>> patch adds all the ones that were missing. Interfaces are added > >> together > >>>>>>> with the matching _role() interface if it was already present. > >>>>>>> > >>>>>>> Make all && make validate passes, but anyone else that can run > >> any test > >>>>>>> suites on this would be appreciated too. > >>>>>> > >>>>>> I'm not opposed to this change, but I wonder about cases like these: > >>>>>> > >>>>>>> + > >>>>>>> +optional_policy(` > >>>>>>> + asterisk_admin(sysadm_t, sysadm_r) > >>>>>>> asterisk_stream_connect(sysadm_t) > >>>>>>> ') > > >>>> I think there is still the question, should the stream connect be added > >>>> to the admin interface? > >>>> > >>> > >>> I would argue, no > >>> > >>> The application use to stream connect should instead be confined and > >>> _admin should run that application with a domain transition instead > >>> > >> I think admining something and using it are not necessarily the same so > >> I agree with Dominick, they should be separate. > > > > I also agree. The admin interfaces should have all of the rules needed > > to admin the service, and that's it. If that socket connect is not > > related to an admin function, then it should remain separate. I asked > > the question since I was unsure why there was a stream connect. > > From the commit, Sven said: > > >Author: Sven Vermeulen > >Date: Mon Oct 3 21:24:38 2011 +0200 > > > >Allow sysadm to interact with asterisk > > > >When administering asterisk, one often ran command is "asterisk -r" > >which yields the asterisk CLI (when the asterisk server is running). To > >be able to run this, you need asterisk_stream_connect privileges. > > > >Assign these privileges to the sysadm_r > > > Which tells me that the stream connect should be added to the admin > interface. > Where do you draw the line, are you now also adding all the permissions to sysadm_t that asterisk cli needs to run? You dont see them now because sysadm_t is virtually unconfined_t already, but i bet the app needs permissions that a normal confined shell session does not need why not just run the asterisk cli with a domain transition and associate these permission with at domain instead of sysadm_t? -- Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/ea442cbf/attachment.bin