2008-09-24 20:54:23

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch

Remove TODO, If we have not done it yet we should forgetabout it

Needs to run as an xserver_unconfined

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjaqP8ACgkQrlYvE4MpobNusQCdErcC5u3/Hu49J8DdHB8dcyYP
OhgAnidl5D06pFkqUWGox1h2Yuuzn6GA
=srgX
-----END PGP SIGNATURE-----


2008-09-25 07:13:10

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]> wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>
> Remove TODO, If we have not done it yet we should forgetabout it
>
> Needs to run as an xserver_unconfined

What is the point of having a firstboot_t? Why not just make it a typealias
for unconfined_t?

--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

2008-09-25 20:12:53

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

Russell Coker wrote:
> On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]> wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patch
>>
>> Remove TODO, If we have not done it yet we should forgetabout it
>>
>> Needs to run as an xserver_unconfined
>
> What is the point of having a firstboot_t? Why not just make it a typealias
> for unconfined_t?
>
Probably not, although there may be some transitions for firstboot_t
which are not there for unconfined_t. Both are unconfined domains.

2008-09-25 21:00:24

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

On Friday 26 September 2008 06:12, Daniel J Walsh <[email protected]> wrote:
> Russell Coker wrote:
> > On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]>
wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
> >>h
> >>
> >> Remove TODO, If we have not done it yet we should forgetabout it
> >>
> >> Needs to run as an xserver_unconfined
> >
> > What is the point of having a firstboot_t? Why not just make it a
> > typealias for unconfined_t?
>
> Probably not, although there may be some transitions for firstboot_t
> which are not there for unconfined_t. Both are unconfined domains.

Why would you want such a transition?

firstboot is used to configure firewalls and things, being able to configure
them as unconfined_t is desirable and probably necessary.

>From a high-level concept I can't imagine why you would want firstboot_t
having any transition that unconfined_t lacks.

In terms of reducing policy size (and therefore memory use and disk space),
removing needless unconfined domains is the best thing to do.

A recent change that I've made is removing unconfined_crond_t and making
unconfined cron jobs run as unconfined_t.

I'm also wondering whether any of the $1_crond_t domains actually do any good.

--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

2008-09-26 12:55:06

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Friday 26 September 2008 06:12, Daniel J Walsh <[email protected]> wrote:
>> Russell Coker wrote:
>>> On Thursday 25 September 2008 06:54, Daniel J Walsh <[email protected]>
> wrote:
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F10/admin_firstboot.patc
>>>> h
>>>>
>>>> Remove TODO, If we have not done it yet we should forgetabout it
>>>>
>>>> Needs to run as an xserver_unconfined
>>> What is the point of having a firstboot_t? Why not just make it a
>>> typealias for unconfined_t?
>> Probably not, although there may be some transitions for firstboot_t
>> which are not there for unconfined_t. Both are unconfined domains.
>
> Why would you want such a transition?
>
Well we also have the problem of machines without the unconfined domain.
(MLS, Strict). So I am not sure how to fix those. As I have stated
before I think removing the unconfined domain is a mistake, I would much
rather be able to take the unconfined_domain privs away from initrc_t
and other unconfined domains and leave unconfined_t even for MLS
machines, when running as full administrator. Tools like rpm and dpkg,
firstboot are almost always going to need to be unconfined. file_trans
is what I was talking about. Making sure files created in /etc have the
right context. We can experiment with removing firstboot policy after
F10 is released, to make sure it does not cause any problems.
> firstboot is used to configure firewalls and things, being able to configure
> them as unconfined_t is desirable and probably necessary.
>
> From a high-level concept I can't imagine why you would want firstboot_t
> having any transition that unconfined_t lacks.
>
> In terms of reducing policy size (and therefore memory use and disk space),
> removing needless unconfined domains is the best thing to do.
>
> A recent change that I've made is removing unconfined_crond_t and making
> unconfined cron jobs run as unconfined_t.
>
> I'm also wondering whether any of the $1_crond_t domains actually do any good.
>
Fedora does not use $1_crond_t any longer.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjc26oACgkQrlYvE4MpobPALQCggiaj+TVbCDBcXx35WtzI25l+
BP8AoKS20L3NUo8zuOWZMA+558IcrY9+
=Ni/E
-----END PGP SIGNATURE-----

2008-09-26 20:34:27

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] admin_firstboot.patch

On Friday 26 September 2008 22:55, Daniel J Walsh <[email protected]> wrote:
> >> Probably not, although there may be some transitions for firstboot_t
> >> which are not there for unconfined_t. Both are unconfined domains.
> >
> > Why would you want such a transition?
>
> Well we also have the problem of machines without the unconfined domain.
> (MLS, Strict). So I am not sure how to fix those. As I have stated

Is it now possible to have a machine installed with MLS policy and never run
any other policy?

> before I think removing the unconfined domain is a mistake, I would much
> rather be able to take the unconfined_domain privs away from initrc_t
> and other unconfined domains and leave unconfined_t even for MLS
> machines, when running as full administrator.

That sounds reasonable.

> > I'm also wondering whether any of the $1_crond_t domains actually do any
> > good.
>
> Fedora does not use $1_crond_t any longer.

So staff_t cron jobs run as staff_t etc?

OK, I'll do the same for Lenny.

--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development