From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Dec 2014 11:12:00 -0500 Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm In-Reply-To: <20141203155521.GD29001@e145.network2> References: <1417609724-28437-1-git-send-email-jason@perfinion.com> <547F0DB6.2060501@tresys.com> <20141203134221.GA20778@meriadoc.Home> <547F168F.2000109@tresys.com> <1417616847.29096.1.camel@joe.localdomain> <547F2FF5.1000509@tresys.com> <547F314A.3070408@tresys.com> <20141203155521.GD29001@e145.network2> Message-ID: <547F3650.4020100@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/3/2014 10:55 AM, Dominick Grift wrote: > On Wed, Dec 03, 2014 at 10:50:34AM -0500, Christopher J. PeBenito wrote: >> On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote: >>> On 12/3/2014 10:29 AM, Jason Zaman wrote: >>>> >>>> On 3 Dec 2014 18:27, "Dominick Grift" >>> > wrote: >>>>> >>>>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote: >>>>>> On 12/3/2014 8:42 AM, Jason Zaman wrote: >>>>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito >>>> wrote: >>>>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote: >>>>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This >>>>>>>>> patch adds all the ones that were missing. Interfaces are added >>>> together >>>>>>>>> with the matching _role() interface if it was already present. >>>>>>>>> >>>>>>>>> Make all && make validate passes, but anyone else that can run >>>> any test >>>>>>>>> suites on this would be appreciated too. >>>>>>>> >>>>>>>> I'm not opposed to this change, but I wonder about cases like these: >>>>>>>> >>>>>>>>> + >>>>>>>>> +optional_policy(` >>>>>>>>> + asterisk_admin(sysadm_t, sysadm_r) >>>>>>>>> asterisk_stream_connect(sysadm_t) >>>>>>>>> ') >> >>>>>> I think there is still the question, should the stream connect be added >>>>>> to the admin interface? >>>>>> >>>>> >>>>> I would argue, no >>>>> >>>>> The application use to stream connect should instead be confined and >>>>> _admin should run that application with a domain transition instead >>>>> >>>> I think admining something and using it are not necessarily the same so >>>> I agree with Dominick, they should be separate. >>> >>> I also agree. The admin interfaces should have all of the rules needed >>> to admin the service, and that's it. If that socket connect is not >>> related to an admin function, then it should remain separate. I asked >>> the question since I was unsure why there was a stream connect. >> >> From the commit, Sven said: >> >>> Author: Sven Vermeulen >>> Date: Mon Oct 3 21:24:38 2011 +0200 >>> >>> Allow sysadm to interact with asterisk >>> >>> When administering asterisk, one often ran command is "asterisk -r" >>> which yields the asterisk CLI (when the asterisk server is running). To >>> be able to run this, you need asterisk_stream_connect privileges. >>> >>> Assign these privileges to the sysadm_r >> >> >> Which tells me that the stream connect should be added to the admin >> interface. >> > > Where do you draw the line, are you now also adding all the permissions to sysadm_t that asterisk cli needs to run? > > You dont see them now because sysadm_t is virtually unconfined_t already, but i bet the app needs permissions that a normal confined shell session does not need > > why not just run the asterisk cli with a domain transition and associate these permission with at domain instead of sysadm_t? See my other email. If we further constrain sysadm_t, it may make more sense to do that, but at this time I don't think it's warranted. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com