From: Daniel J Walsh <dwalsh@redhat.com>
To: Colin Walters <walters@redhat.com>
Cc: Stephen Smalley <sds@epoch.ncsc.mil>,
SELinux ML <selinux@tycho.nsa.gov>,
Joshua Brindle <jbrindle@snu.edu>,
Jim Carter <jwcart2@epoch.ncsc.mil>,
Russell Coker <rcoker@redhat.com>,
Nalin Dahyabhai <nalin@redhat.com>
Subject: Re: Single home directory type for all roles.
Date: Thu, 09 Dec 2004 14:38:39 -0500 [thread overview]
Message-ID: <41B8A9BF.2080405@redhat.com> (raw)
In-Reply-To: <1102613299.10785.21.camel@nexus.verbum.private>
Colin Walters wrote:
>On Thu, 2004-12-09 at 11:50 -0500, Daniel J Walsh wrote:
>
>
>
>>1. Causes problems with sharing files between users, IE a staff user
>>coping a file to tmp and then the user
>>can't read it, because it has the wrong type.
>>
>>
>
>I feel that what we really need is an explicit file sharing area; for
>example the gnome-user-share program uses /home/$USER/Public. Having a
>special label for public files like this will also allow us to write
>policy for the gnome-user-share Apache daemon. It does seem wrong to me
>for any user_t to have access to my staff_t temporary files, and also
>the other way around (remember that user_t/staff_t prevents /tmp race
>conditions). I run a strict server on which I have several users who I
>don't *entirely* trust. The extra assurance the user_t/staff_t
>distinction brings is nice.
>
>
>
Currently few people use staff, because user can do everything staff can
do so you are not protected by this protection.
You also do not protect yourself from staff users attacking other staff
users.
>>2. Requirement that selinux-policy-strict-sources be installed and a
>>rebuild of policy in order to change the roles of a user.
>>
>>
>
>I'm not sure I see what's so bad about this. I would assume that most
>people running strict will have to customize policy anyways.
>
>
My goal is to get more people using strict, not just the ones capable of
writing policy.
>
>
>>3. But the number one problem I have is with relabeling files. If I
>>were to implement roles management in
>>system-config-securitylevel/adduser, I would need to trigger a relabel
>>any time a role of a user was changed. This
>>relabel would have to be inteligent enough to figure out not only the
>>home directories, but also the files in /tmp and potentially
>>files in html files scattered over the system. I find this an
>>unworkable situation.
>>
>>
>
>Hmm. But the fact that in the default strict policy user_r and staff_r
>are nearly equivalent in terms of functionality is really a special
>case, no? I imagine most people really using RBAC will be defining
>specialized roles such as webmaster_r, nurse_r, developer_r, etc. In
>this situation it seems to me that it would be unusual for a person to
>switch roles entirely; much more likely they would gain a role. And if
>they *did* switch roles, it seems likely that they would not have access
>to their old files at all.
>
>
>
If we move to this plan, we would turn off the compatability between
user and staff.
So only staff users could su, usermod, newrole. The reason they are the
same now is because
of the labeling problem, and the inability to easily change from a user
to a staff role. Why would
you not have access to your old files, if you switch roles. I agree
this might be good in some cases
but can't we develop a less stringent rule that does not require relabeling.
>>So yesterday I went though the policy and created a new tunable
>>single_user_file_type, that causes the policy to share a common
>>filetypes between staff and users. (Haven't completed this for http yet).
>>
>>
>
>I'm not saying it's not useful to have an option, but before
>recommending this, I'd like to think a bit more about any other possible
>solutions. I don't have any good ideas about how to handle user_r ->
>staff_r in general right now though.
>
>
>
>>With SELinux Policy Modules, can I build an system-config-user/adduser
>>that would modify a file under /etc/selinux/strict/roles/
>>(the users file) and then reload just that policy?
>>
>>
>
>I haven't looked in detail at binary policy modules, but my guess is
>that they can't *delete* a role, type, or permission. So it seems
>difficult to use a binary policy module to change a user's role, e.g.
>from user_r to staff_r as you suggest.
>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-12-09 19:38 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-07 0:08 patch: add can_create() macro, allow file_type_auto_trans(a,b,c, { file dir }) Thomas Bleher
2004-12-08 19:32 ` James Carter
2004-12-09 16:31 ` Some more fixes Daniel J Walsh
2004-12-09 18:35 ` Thomas Bleher
2004-12-10 20:14 ` James Carter
2004-12-09 16:50 ` Single home directory type for all roles Daniel J Walsh
2004-12-09 17:20 ` Stephen Smalley
2004-12-09 17:40 ` Stephen Smalley
2004-12-10 16:23 ` Manipulating user roles without policy-sources installed Daniel J Walsh
2004-12-10 16:37 ` Stephen Smalley
2004-12-10 18:09 ` Daniel J Walsh
2004-12-10 18:38 ` Stephen Smalley
2004-12-09 17:47 ` Single home directory type for all roles Russell Coker
2004-12-09 17:53 ` Stephen Smalley
2004-12-09 18:12 ` Russell Coker
2004-12-09 18:18 ` Stephen Smalley
2004-12-09 18:45 ` Stephen Smalley
2004-12-09 19:08 ` Russell Coker
2004-12-09 20:03 ` Casey Schaufler
2004-12-10 12:20 ` Russell Coker
2004-12-10 15:22 ` Valdis.Kletnieks
2004-12-10 16:19 ` Casey Schaufler
2004-12-10 17:00 ` Valdis.Kletnieks
2004-12-10 17:06 ` Stephen Smalley
2004-12-10 17:29 ` Casey Schaufler
2004-12-09 20:40 ` Valdis.Kletnieks
2004-12-10 3:03 ` Russell Coker
2004-12-10 14:09 ` Daniel J Walsh
2004-12-10 14:31 ` Stephen Smalley
2004-12-10 15:43 ` Colin Walters
2004-12-10 16:33 ` Casey Schaufler
2004-12-13 13:25 ` Russell Coker
2004-12-13 13:56 ` Daniel J Walsh
2004-12-13 14:19 ` Russell Coker
2004-12-09 19:07 ` Thomas Bleher
2004-12-09 19:19 ` Russell Coker
2004-12-09 17:28 ` Colin Walters
2004-12-09 18:02 ` Russell Coker
2004-12-09 19:45 ` Daniel J Walsh
2004-12-09 20:07 ` Stephen Smalley
2004-12-09 20:13 ` Russell Coker
2004-12-09 20:22 ` Daniel J Walsh
2004-12-09 20:30 ` Russell Coker
2004-12-09 21:38 ` Thomas Bleher
2004-12-10 2:56 ` Russell Coker
2004-12-09 22:29 ` Colin Walters
2004-12-10 13:11 ` Stephen Smalley
2004-12-10 16:28 ` Colin Walters
2004-12-09 21:16 ` Thomas Bleher
2004-12-10 2:58 ` Russell Coker
2004-12-09 22:43 ` Colin Walters
2004-12-10 2:23 ` Russell Coker
2004-12-10 15:48 ` Colin Walters
2004-12-10 21:58 ` Luke Kenneth Casson Leighton
2004-12-09 19:38 ` Daniel J Walsh [this message]
2004-12-09 19:58 ` Stephen Smalley
2004-12-09 20:09 ` Daniel J Walsh
2004-12-09 20:17 ` Russell Coker
2004-12-09 20:38 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2004-12-09 18:50 Alex Ackerman
2004-12-09 19:29 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B8A9BF.2080405@redhat.com \
--to=dwalsh@redhat.com \
--cc=jbrindle@snu.edu \
--cc=jwcart2@epoch.ncsc.mil \
--cc=nalin@redhat.com \
--cc=rcoker@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.