From: aranea@aixah.de (Luis Ressel) Date: Wed, 13 Sep 2017 05:05:38 +0200 Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files In-Reply-To: <320b65c8-ab22-95ab-76c0-a191f5087530@ieee.org> References: <20170912024104.23305-1-aranea@aixah.de> <320b65c8-ab22-95ab-76c0-a191f5087530@ieee.org> Message-ID: <20170913050538.7dc2af30@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Sep 2017 18:53:48 -0400 Chris PeBenito via refpolicy wrote: > On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote: > > From: Jason Zaman > > > > The idea and code are from perfinion. I support it, but we should > > probably discuss it. > > What's the rationale? Just because sysadmin has all the other access? > That, and because mmap()ing a file is a perfectly fine thing to do that various applications are bound to attempt. We cannot possibly add special rules for every tool an admin may attempt to run in the sysadm_t domain. For example, my machines have git repos all over the place which I can no longer use without the map permission, and the grep replacement I'm using tries to mmap(), too. (It's nonfatal in the latter case, but the error messages and denials are annoying.) Considering how sysadm_t has full access to all non-auth files anyway, the only scenario that the lack of the map permission is protecting us from is when a non-auth file is suddently relabeled to an auth type. Are we really worried enough about such a corner case that we're willing to place a substantial restriction on sysadm_t? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170913/c6e11abb/attachment.bin