container and staff_t

container and staff_t

[Russell Coker]

grep -R container_user_role policy/
policy/modules/roles/staff.te:	container_user_role(staff, staff_t, 
staff_application_exec_domain, staff_r)
policy/modules/services/container.if:template(`container_user_role',`

Why is staff_t the only domain for container_user_role() ?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: container and staff_t

[Kenton Groombridge]

[-- Attachment #1: Type: text/plain, Size: 758 bytes --]

On 25/08/29 08:20PM, Russell Coker wrote:
> grep -R container_user_role policy/
> policy/modules/roles/staff.te:	container_user_role(staff, staff_t, 
> staff_application_exec_domain, staff_r)
> policy/modules/services/container.if:template(`container_user_role',`
> 
> Why is staff_t the only domain for container_user_role() ?
> 

When the container policy was originally written, it was only tested
with staff_t and unconfined_t at the time.

The other roles (mostly user_t) should probably also be allowed to use
it but I would personally rather it be a tunable for each given the
amount of attack surface that unprivilged containers can still expose.
If we did that, staff_t should probably be tunable as well.

---
Kenton Groombridge

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 963 bytes --]