SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Denis Obrezkov <denisobrezkov@gmail.com>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: Are we on the wrong track?
Date: Fri, 12 Jun 2020 13:00:05 +0200
Message-ID: <f4abbf59-5a51-31c5-ae39-6a43914b890b@gmail.com> (raw)
In-Reply-To: <3243717.6S2XvbbdUs@liv>

Hi, Russell,

I am a novice in SELinux, even though I am learning it for a year or so.
And I can't really understand why SELinux is SO complex. Not only the
policy, but the whole SELinux.
For example, there are two different ways of writing a policy - CIL and
the other one. And they have conflicting namesets (typeattribute =
atttribute). At the same time, this behavior is just slightly
documented. One can't create a policy only using information from docs.
At the same time, some parts of SELinux are very unstable. Like, MCS. It
was introduced and it is used only for VM management. And mcstransd is
bad. It's really bad. I was trying to use it and it was totally
unstable. So, even if someone wants to use MCS - it is almost impossible
because tools are unstable and MCS is already almost exclusively used by
VMs.

On 12.06.20 02:03, Russell Coker wrote:
> The reference policy is getting an increasing number of domains and types with 
> an O(N^2) level of complexity for writing policy and an O(N^2) size of the 
> binary policy.  In 2012 the binary policy on my machines was 560k, now it's 
> over 2M.
> 
> In recent policy we have 6 different domains for systemd-generators.  What 
> benefit are we expecting to get from this?  Are we anticipating that one 
> generator will attack another?  How would having separate domains for 
> generators do any good when there's no restriction on the contents of the 
> files they generate and nothing to prevent one generator from creating a file 
> of the name that another generator is expected to create?  Is it even 
> reasonable to expect that a program that can create a systemd unit file with 
> arbitrary content (IE being able to start any daemon with arbitrary 
> configuration and command-line parameters) would be unable to exploit that for 
> unrestricted root access?
> 
> We have a new set of domains, user_wm_t, staff_wm_t, etc.  What is that for?  
> Is someone using the X controls and in need of a privileged window manager 
> domain to manage the clipboard etc?  Why is staff_wm_t needed when we no 
> longer have staff_gpg_t?  Does staff_r even make sense when you could just use 
> different MCS categories for different users?
> 
> We have one games_t domain for games which were packaged by the distribution.  
> Is this possible to give a useful benefit given that they some games the same 
> XDG config directories as more important things.  If a game has the file 
> access needed to grab passwords from your MUA and network access to send them 
> out then is there a real benefit in having a separate domain for it?  As an 
> aside I think that the ideal thing to do would be to have a SETGID program to 
> manage passwords for email etc that prevents the user from accessing them, it 
> could then proxy IMAP/SMTP connections so the MUA never knows the real 
> passwords.
> 
> We have special *_cronjob_t domains which in systems that use them (IE not 
> Debian) seem to give the potential for nothing but confusion.  The general 
> expectation is that anything which can run as a user login session can also 
> run as a cron job.  What benefit is this expected to provide?
> 

-- 
Regards, Denis Obrezkov

  parent reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-12  0:03 Russell Coker
2020-06-12  7:05 ` Topi Miettinen
2020-06-12  8:02 ` Dac Override
2020-06-12  9:54   ` Russell Coker
2020-06-12 10:15     ` Dominick Grift
2020-06-12 12:05       ` Russell Coker
2020-06-12 12:26         ` Dominick Grift
2020-06-12 12:53           ` Russell Coker
2020-06-12 13:20             ` Dominick Grift
2020-06-14 16:30             ` Topi Miettinen
2020-06-12 11:00 ` Denis Obrezkov [this message]
2020-06-12 11:53   ` Russell Coker
2020-06-12 11:57   ` Dominick Grift
2020-06-12 12:52 ` Chris PeBenito
2020-06-12 13:02   ` Russell Coker
2020-06-12 14:03     ` bauen1
2020-06-15 13:52     ` Chris PeBenito
2020-06-15 21:02       ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f4abbf59-5a51-31c5-ae39-6a43914b890b@gmail.com \
    --to=denisobrezkov@gmail.com \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git