[refpolicy] Transition unconfined users to dpkg_t domain
sven.vermeulen at siphos.be
Fri Jan 10 13:46:38 EST 2014
On Fri, Jan 10, 2014 at 01:40:17PM -0500, Stephen Smalley wrote:
> >> What's wrong with transitioning from unconfined to confined? Going from
> >> more-privileged to less-privileged is the common (and safe) case, e.g.
> >> init -> daemon, login -> user, etc. It is confined -> unconfined
> >> transitions that are unsafe.
> > There is nothing "wrong" with it - it's a design choice of the policy. But I
> > believe it is confusing for end users. They expect that, if they are running
> > in an unconfined context, that all actions they invoke (and which aren't
> > about restarting network facing daemons of course) are unconfined.
> > If they call rpm or another package manager, and that package manager
> > suddenly runs in a restricted confined domain, then they might get denials
> > they do not expect. After all, these are actions they are triggering that
> > are suddenly denied.
> > I'm not saying it is simple to implement this principle in practice. It
> > requires both sufficient work on the policies (for instance, unconfined
> > domains should have the right file transitions that are otherwise only
> > assigned to the application domains) and SELinux-aware applications.
> > Such applications should not only take into account the "permissive" mode
> > (cfr Dan's blog post on this) but also consult what the target domain should
> > be when a transition is requested. For instance, Portage wants to transition
> > to a sandbox domain (which is configured in a /etc/selinux file) but might
> > be even better suited if it would check what domain transition to perform,
> > similar to how cron daemons often work.
> Ok, I don't agree. That way lies madness - a never-ending set of
> changes to userspace programs to re-implement everything already
> provided transparently through policy domain transitions and file type
The other case being extending the rights of those confined domains more and
more to suit the expectations of the end user?
The set of changes you're referring to is not never-ending, and they're
currently definitely not transparent. The amount of different approaches
taken by SELinux-aware applications is staggering and often requires
distribution SELinux maintainers to dive into the code to find out why an
application breaks in a certain way.
It would be beneficial if there was a common, documented approach on how to
deal with SELinux if SELinux-awareness is necessary.
Policy-development wise, we are still lacking enough directions (principles)
to continue to work on the policies. Right now, the community that works on
the policies (through the reference policy project) is close enough and has
sufficient discussions on all changes, but as SELinux gets more and more
used, I am expecting that the workload will increase and the number of
decisions to be taken with it.
And how to deal with unconfined domains trying to run an application is
definitely one of them.
More information about the refpolicy