[refpolicy] Transition unconfined users to dpkg_t domain

Laurent Bigonville bigon at debian.org
Sun Jan 12 07:20:26 EST 2014


Le Fri, 10 Jan 2014 13:40:17 -0500,
Stephen Smalley <sds at tycho.nsa.gov> a écrit :

> On 01/10/2014 01:39 PM, Sven Vermeulen wrote:
> > On Fri, Jan 10, 2014 at 12:37:08PM -0500, Stephen Smalley wrote:
> >>> About my initial issue with dpkg exiting if it cannot transition
> >>> to "dpkg_script_t" from unconfined users. How do you think this
> >>> should be solved? People doesn't like the transition of
> >>> unconfined domains to confined ones (I agree with this), so you
> >>> think this should be fixed in the code (setexecfilecon() or dpkg)
> >>> or this could achieved in an other way in the policy?
> >>
> >> What's wrong with transitioning from unconfined to confined?
> >> Going from more-privileged to less-privileged is the common (and
> >> safe) case, e.g. init -> daemon, login -> user, etc.  It is
> >> confined -> unconfined transitions that are unsafe.
> > 
> > There is nothing "wrong" with it - it's a design choice of the
> > policy. But I believe it is confusing for end users. They expect
> > that, if they are running in an unconfined context, that all
> > actions they invoke (and which aren't about restarting network
> > facing daemons of course) are unconfined.
> > 
> > If they call rpm or another package manager, and that package
> > manager suddenly runs in a restricted confined domain, then they
> > might get denials they do not expect. After all, these are actions
> > they are triggering that are suddenly denied.
> > 
> > I'm not saying it is simple to implement this principle in
> > practice. It requires both sufficient work on the policies (for
> > instance, unconfined domains should have the right file transitions
> > that are otherwise only assigned to the application domains) and
> > SELinux-aware applications.
> > 
> > Such applications should not only take into account the
> > "permissive" mode (cfr Dan's blog post on this) but also consult
> > what the target domain should be when a transition is requested.
> > For instance, Portage wants to transition to a sandbox domain
> > (which is configured in a /etc/selinux file) but might be even
> > better suited if it would check what domain transition to perform,
> > similar to how cron daemons often work.
> 
> Ok, I don't agree.  That way lies madness - a never-ending set of
> changes to userspace programs to re-implement everything already
> provided transparently through policy domain transitions and file type
> transitions.

OK, I've proposed a patch to the ML so at least dpkg will work in
enforcing mode.

If some rework on how the package manager are handled, I guess it
should be done for all of them.

Cheers,

Laurent Bigonville


More information about the refpolicy mailing list