From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 13 Sep 2017 18:32:34 -0400 Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files In-Reply-To: <20170913050538.7dc2af30@vega.skynet.aixah.de> References: <20170912024104.23305-1-aranea@aixah.de> <320b65c8-ab22-95ab-76c0-a191f5087530@ieee.org> <20170913050538.7dc2af30@vega.skynet.aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/12/2017 11:05 PM, Luis Ressel wrote: > On Tue, 12 Sep 2017 18:53:48 -0400 > Chris PeBenito via refpolicy wrote: > >> On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote: >>> From: Jason Zaman >>> >>> The idea and code are from perfinion. I support it, but we should >>> probably discuss it. >> >> What's the rationale? Just because sysadmin has all the other access? >> > > That, and because mmap()ing a file is a perfectly fine thing to do that > various applications are bound to attempt. We cannot possibly add > special rules for every tool an admin may attempt to run in the > sysadm_t domain. For example, my machines have git repos all over the > place which I can no longer use without the map permission, and the grep > replacement I'm using tries to mmap(), too. (It's nonfatal in the > latter case, but the error messages and denials are annoying.) > > Considering how sysadm_t has full access to all non-auth files anyway, > the only scenario that the lack of the map permission is protecting us > from is when a non-auth file is suddently relabeled to an auth type. > Are we really worried enough about such a corner case that we're > willing to place a substantial restriction on sysadm_t? I only wanted to understand the rationale, in case there was some other detail that needed further consideration. -- Chris PeBenito