From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4526A592.7020201@redhat.com> Date: Fri, 06 Oct 2006 14:50:58 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: russell@coker.com.au CC: Michael C Thompson , SE Linux , Stephen Smalley , jdesai@us.ibm.com Subject: Re: [RFC PATCH] newrole suid breakdown References: <452432FA.1060009@us.ibm.com> <200610060915.15441.russell@coker.com.au> <45268BD9.9050809@redhat.com> <200610070337.40031.russell@coker.com.au> In-Reply-To: <200610070337.40031.russell@coker.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Russell Coker wrote: > On Saturday 07 October 2006 03:01, Daniel J Walsh wrote: > >> Russell Coker wrote: >> >>> On Thursday 05 October 2006 23:57, Daniel J Walsh >>> > wrote: > >>>> Does the code continue to work correctly if I compile in AUDIT_LOG_PRIV >>>> and NAMESPACE_PRIV but run it without the setuid bit and as a normal >>>> user. IE, We want the option to only set this setuid when in an MLS >>>> environment. This is not required for targeted or strict policy >>>> machines. >>>> >>> Who does "we" mean in this context? >>> >>> I would like to have newrole work with namespaces in a strict policy >>> environment! >>> >> I am not denying you that right. I am asking for the tool to continue >> working with or without setuid. >> > > Without setuid means without poly-instantiation based on SE Linux context, > which means that probably most strict policy systems won't be able to > effectively use poly-instantiation. > > >> IE Don't force a setuid app on the OS, if I don't do pam_namespace or >> care about role auditing. >> > > /usr/kerberos/bin/ksu is forced on the OS even though the vast majority of > Fedora users will never use Kerberos. > > /usr/sbin/ccreds_validate seems to always get installed even on systems that > will never use network authentication (again the majority). > > /usr/libexec/openssh/ssh-keysign is always installed even though it's > generally recommended that you don't use host based authentication (and my > observation is that almost no-one is using it). > > The rsh package has three setuid root programs and again is almost never > needed (in fact it's recommended that you don't have it for several reasons). > > > Without even trying I've found six setuid-root programs that are included in a > fairly default install of Fedora and which are never needed by the vast > majority of users. I doubt that all six are as well audited as newrole. > > It seems that the decision to force setuid programs on the OS has already been > made. > > Ok, After talking to people around here, I want to allow newrole to be setuid, but I want to remove it from policycoreutils and move it to policycoreutils-newrole, then I will require policycoreutils-newrole for mls and strict policy. Dan That seems to be the easiest solution. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.