From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 30 Aug 2016 17:37:01 -0400
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
 contexts
In-Reply-To: <1472584981.15862.15.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
	<1472317696.28955.1.camel@trentalancia.net>
	<c49f1270-caa7-7e41-60dc-66ce0fe44e3c@gmail.com>
	<1472318213.31962.2.camel@trentalancia.net>
	<d5ad4d2b-f29f-1e45-84a1-a69dedd428f4@gmail.com>
	<1472330498.25935.7.camel@trentalancia.net>
	<fd0e9bd4-f385-081b-36b5-ccf0c55cfa5c@gmail.com>
	<1472334513.25935.16.camel@trentalancia.net>
	<6b1697f1-2aaf-3727-5b69-8794a0f85530@gmail.com>
	<aef29033-a90d-f964-c23e-bb71bbae9154@gmail.com>
	<7EAFAD82-CDDA-47E3-950E-4D5610686C6C@trentalancia.net>
	<fc5ee4b5-fc19-a753-5b95-0f8a3d83d122@ieee.org>
	<1472584981.15862.15.camel@trentalancia.net>
Message-ID: <08ff72bd-3fdb-a3a9-a077-76d3f35b0ae0@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/30/16 15:23, Guido Trentalancia wrote:
> Hello Christopher.
>
> On Sun, 28/08/2016 at 14.40 -0400, Chris PeBenito wrote:
>> On 08/28/16 11:37, Guido Trentalancia via refpolicy wrote:
>>>
>>> Things are very far from working naturally as they are.
>>>
>>> On the other hand, the patches are surely far from being complete
>>> or stable yet, but at least every version allows to start the Gnome
>>> desktop.
>>>
>>> Now I met this major problem, it looks by all means a limitation of
>>> the existing framework, but I am sure that it will be sorted out...
>>>
>>> I am also waiting to hear from Christopher about this.
>>
>> The way I see it is that general purpose desktops are incredibly
>> complicated and are not designed with security in mind.  I wonder if
>> the
>> policy complexity needed to confine it all actually buys a
>> proportional
>> amount of security gains.  I'm not saying it shouldn't be done, but I
>> am
>> skeptical that it is worth it.
>
> Apart from confining the whole desktop, what I recently proposed to
> Dominick for further evaluation is as follows:
>
> - we patch the libsepol code so that it creates all the conflicting
> type rules instead of aborting;
> - we also patch the policy enforcing code, so that when it needs to
> enforce one of such conflicting type rules, it first searches for
> duplicates and then it enforces the one that matches the calling
> context.
>
> Do you think the above is feasible (in particular, "matching the
> calling context") ?

I don't know what you mean by "matching the calling context."  A 
conflicting type transition looks like this:

type_transition source_type exec_type:process new_domain;
type_transition source_type exec_type:process other_new_domain;

I don't see how you can decide between the two if they both exist in the 
policy (unless they are in opposite if/else blocks, which is valid).

-- 
Chris PeBenito