All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, Chris PeBenito <pebenito@ieee.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions
Date: Thu, 13 Jul 2017 09:25:13 -0400	[thread overview]
Message-ID: <CAHC9VhS++BnxPSbSdVax9EVELRME63t4YpaMUYLc4QLNHhjLsg@mail.gmail.com> (raw)
In-Reply-To: <1499949843.624.0.camel@tycho.nsa.gov>

On Thu, Jul 13, 2017 at 8:44 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2017-07-12 at 20:27 -0400, Chris PeBenito wrote:
>> On 07/12/2017 05:38 PM, Paul Moore wrote:
>> > On Wed, Jul 12, 2017 at 9:26 AM, Stephen Smalley <sds@tycho.nsa.gov
>> > > wrote:
>> > > On Tue, 2017-07-11 at 17:00 -0400, Paul Moore wrote:
>> > > > On Mon, Jul 10, 2017 at 4:25 PM, Stephen Smalley <sds@tycho.nsa
>> > > > .gov>
>> > > > wrote:
>> > While I think splitting the NNP/nosuid transition restrictions
>> > might
>> > be a good idea under the new policy capability, I'm not sure it is
>> > worth the cost of a "process2" object class.
>> >
>> > With that in mind, let's do two things with this patch:
>> >
>> > * Mention the nosuid restrictions in the patch description.  It
>> > doesn't need much text, but something would be good so we have
>> > documentation in the git log.
>> >
>> > * Let's pick a new permission name that is not specific to NNP or
>> > nosuid.  IMHO, nnpnosuid_transition is ... less than good.
>> > Unfortunately, I'm not sure I'm much better at picking names; how
>> > about "protected_transition"?  "restricted_transition"?
>> > "enable_transition"?  "override_transition"?
>>
>> I vote for nnp_transition anyway.  "No New Privileges" encompasses
>> nosuid in my mind.  If the two perms had been separated I would have
>> been inclined to allow both every time one of them was needed, to
>> make
>> sure no one was surprised by the behavior difference.
>
> I agree; I'll keep it as nnp_transition and just document it in the
> patch description.

Sorry to be a stubborn about this, but nnp_transition makes little
sense for the nosuid restriction.  Like it or not, NNP has a concrete
meaning which is distinct from nosuid mounts.  We don't have to pick
any of the permission names I tossed out, none of those were very
good, but I would like to see something that takes both NNP and nosuid
into account, or preferably something that doesn't use either name
explicitly but still conveys the meaning.

-- 
paul moore
www.paul-moore.com

  reply	other threads:[~2017-07-13 13:41 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-07-10 20:25 [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions Stephen Smalley
2017-07-11 19:52 ` Stephen Smalley
2017-07-11 20:05   ` Dominick Grift
2017-07-11 20:10     ` Dominick Grift
2017-07-11 20:23       ` Stephen Smalley
2017-07-11 20:44         ` Dominick Grift
2017-07-12 13:01           ` Stephen Smalley
2017-07-12 13:30             ` Dominick Grift
2017-07-12 13:38               ` Dominick Grift
2017-07-12 13:42                 ` Dominick Grift
2017-07-12 13:52                   ` Stephen Smalley
2017-07-12 13:51                 ` Stephen Smalley
2017-07-11 21:00 ` Paul Moore
2017-07-12 13:26   ` Stephen Smalley
2017-07-12 21:38     ` Paul Moore
2017-07-13  0:27       ` Chris PeBenito
2017-07-13 12:44         ` Stephen Smalley
2017-07-13 13:25           ` Paul Moore [this message]
2017-07-13 15:48             ` Stephen Smalley
2017-07-13 15:59               ` Stephen Smalley
2017-07-13 16:55                 ` Dominick Grift
2017-07-13 18:13                   ` Stephen Smalley
2017-07-13 18:16                     ` Dominick Grift
2017-07-13 18:50                       ` Dominick Grift
2017-07-13 19:29                       ` Stephen Smalley
2017-07-13 19:28                         ` Dominick Grift
2017-07-13 19:43                           ` Dominick Grift
2017-07-13 19:59                             ` Stephen Smalley
2017-07-13 20:11                               ` Dominick Grift
2017-07-13 23:55                                 ` Chris PeBenito
2017-07-14  6:43                                   ` Dominick Grift
2017-07-13 20:15               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhS++BnxPSbSdVax9EVELRME63t4YpaMUYLc4QLNHhjLsg@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=pebenito@ieee.org \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.