Re: [idea] multiple contexts.

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Wed, Jul 28, 2004 at 08:33:21AM -0400, David Caplan wrote:
> Luke Kenneth Casson Leighton wrote:
> > 
> > yes, sort-of: more that i only wish to limit what programs a user
> > can run (and what programs _those_ programs can run).
> >
> 
> That seems pretty straightforward using transition rules.
> 
> > in particular, i want to stop people from being able to use the
> > "Run" capability of Konqueror, etc.  STOP, not have the popup coming
> > up with "are you sure you want to run this program?".
> >
> 
> You may not have to worry about that if you've defined, via policy, what 
> the user (i.e., the domain they are in when running Konqueror, etc.) is 
> allowed to run.
> 
> >
> > setting up a kdeusers group, chgrp'ing the allowed programs
> > to that group, and setting permissions to 0660 is what i really
> > need...
> >
> 
> 0660 is -rw-rw----, I think you meant 0550, -r-xr-x---, right?
 
 oh, duh, yes.

> > ... but i wondered if there was a way to do that same thing in
> > SE/Linux...
> >
> > ... _without_ writing a whole stack of policies, one per program.
> >
> 
> That's your real issue.  You can accomplish the equivalent (of your 
> chgrp scenario) by defining a domain for all the allowed user programs 
> and causing a domain transition whenever a user (in your limited user 
> domain) executes an allowed program.  Then you only have to write a 
> policy that covers the needs of the set of allowed user applications. 

 yes, and that basically duplicates the entire set of user_t ...
 but for kde_user_t.

 i _really_ don't want to have to rewrite / copy and-then-maintain
 a duplicated set of user_t macros which are identical in _all_ respects
 to user_t except %s/user_t/kde_user_t/g


 that was the whole point of recommending a multiple-context
 thing: _adding_ kde_user_t to be "carried along" by a domain
 transition from user_t to kde_user_t _plus_ user_t through the
 execution of startkde, and then adding a few policy rules to
 allow kde_user_t _plus_ user_t permission to execute a few
 choice executables (those and only those "on the list").


> That gets you the equivalent (actually it's possibly a _little_ better 
> because you limited the permissions to only what the group needs and you 
> removed excess permissions that the user may have had when they enter 
> the new domain).

 

> What you really _need_ is a whole stack of policies so that each program 
> is limited to only what it needs.  

 yes.

> It's up to you to determine if your 
> intended environment requires the effort to do that. 

 not really, not right now! :)

 anyway, it's been made clear that a multiple policy idea is not
 desirable: it's quite a seriously large change to the design of
 selinux.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.