I have begun merging XWindows Controls into Rawhide.

I have begun merging XWindows Controls into Rawhide.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

But the complexity of this stuff is just getting nuts.

I don't thing we should have more then one type for xserver.  Allowing a
confined user to transition to user_xserver_t is just nuts and ends up
having awful policy for getting xdm_xserver_t to work.  Why in the world
would we allow a confined user to start and XServer?  And if they can,
why not just allow them to start xdm_xserver_t?  In Rawhide right now no
users can start and Xserver except unconfined_t and he starts
xdm_xserver_t to make sure the transitions work properly.  If someone
actually has a use case where they need user separated xservers then I
say write that policy off the main stream.  You can still theoretically
run multiple xdm_xserver_t at different MLS levels.

Having four macro parameters is confusing as hell, and needs to go.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfCy6AACgkQrlYvE4MpobMKCgCg5Eq4/YgkCt1ehLQWxiMrveo2
hwIAoIg7fAuzk/hyjIH6wqlzUKgiBUL2
=OmSx
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Christopher J. PeBenito]

On Mon, 2008-02-25 at 09:07 -0500, Daniel J Walsh wrote:
> But the complexity of this stuff is just getting nuts.
> 
> I don't thing we should have more then one type for xserver.  Allowing a
> confined user to transition to user_xserver_t is just nuts and ends up
> having awful policy for getting xdm_xserver_t to work.  Why in the world
> would we allow a confined user to start and XServer?  And if they can,
> why not just allow them to start xdm_xserver_t?  In Rawhide right now no
> users can start and Xserver except unconfined_t and he starts
> xdm_xserver_t to make sure the transitions work properly.  If someone
> actually has a use case where they need user separated xservers then I
> say write that policy off the main stream.  You can still theoretically
> run multiple xdm_xserver_t at different MLS levels.
> 
> Having four macro parameters is confusing as hell, and needs to go.

This comes back to forthcoming effort for trying to use RBAC for role
separation.  That would eliminate the structural complexity we see due
to using TE for the role separation.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Eamon Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2008-02-25 at 09:07 -0500, Daniel J Walsh wrote:
>   
>> But the complexity of this stuff is just getting nuts.
>>
>> I don't thing we should have more then one type for xserver.  Allowing a
>> confined user to transition to user_xserver_t is just nuts and ends up
>> having awful policy for getting xdm_xserver_t to work.  Why in the world
>> would we allow a confined user to start and XServer?  And if they can,
>> why not just allow them to start xdm_xserver_t?  In Rawhide right now no
>> users can start and Xserver except unconfined_t and he starts
>> xdm_xserver_t to make sure the transitions work properly.  If someone
>> actually has a use case where they need user separated xservers then I
>> say write that policy off the main stream.  You can still theoretically
>> run multiple xdm_xserver_t at different MLS levels.
>>     

I would be fine with only having one type for the X server; this would 
certainly simplify the policy that currently has all kinds of kludgery 
to support both "xdm_" and "$1_".

On a locked-down strict system like an MLS box, the user wouldn't be 
allowed to run startx anyway.  So I agree that the current constructions 
are unnecessary.


>> Having four macro parameters is confusing as hell, and needs to go.
>>     
>
> This comes back to forthcoming effort for trying to use RBAC for role
> separation.  That would eliminate the structural complexity we see due
> to using TE for the role separation

Is work being done on this?  I recall you said you were interested in 
taking on this task.

-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Christopher J. PeBenito]

On Mon, 2008-02-25 at 15:17 -0500, Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-02-25 at 09:07 -0500, Daniel J Walsh wrote:

> >> Having four macro parameters is confusing as hell, and needs to go.
> >>     
> >
> > This comes back to forthcoming effort for trying to use RBAC for role
> > separation.  That would eliminate the structural complexity we see due
> > to using TE for the role separation
> 
> Is work being done on this?  I recall you said you were interested in 
> taking on this task.

I plan on starting after the xselinux branch merges into trunk.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Russell Coker]

On Tuesday 26 February 2008 07:17, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> I would be fine with only having one type for the X server; this would
> certainly simplify the policy that currently has all kinds of kludgery
> to support both "xdm_" and "$1_".

With an X server being a trusted object manager the benefit of having separate 
instances of the X server for various roles is greatly reduced.  Not that it 
ever was a great benefit given the small number of people who used it.

In retrospect it should have been removed some time ago.

> > This comes back to forthcoming effort for trying to use RBAC for role
> > separation.  That would eliminate the structural complexity we see due
> > to using TE for the role separation
>
> Is work being done on this?  I recall you said you were interested in
> taking on this task.

Is this going to involve using roles on filesystem objects?  If not then how 
would you distinguish the files created by different roles?

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Christopher J. PeBenito]

On Tue, 2008-02-26 at 20:26 +1100, Russell Coker wrote:
> On Tuesday 26 February 2008 07:17, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:

> > > This comes back to forthcoming effort for trying to use RBAC for role
> > > separation.  That would eliminate the structural complexity we see due
> > > to using TE for the role separation
> >
> > Is work being done on this?  I recall you said you were interested in
> > taking on this task.
> 
> Is this going to involve using roles on filesystem objects?  If not then how 
> would you distinguish the files created by different roles?

Yes, the plan is to use roles on objects.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Stephen Smalley]

On Tue, 2008-02-26 at 08:42 -0500, Christopher J. PeBenito wrote:
> On Tue, 2008-02-26 at 20:26 +1100, Russell Coker wrote:
> > On Tuesday 26 February 2008 07:17, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> 
> > > > This comes back to forthcoming effort for trying to use RBAC for role
> > > > separation.  That would eliminate the structural complexity we see due
> > > > to using TE for the role separation
> > >
> > > Is work being done on this?  I recall you said you were interested in
> > > taking on this task.
> > 
> > Is this going to involve using roles on filesystem objects?  If not then how 
> > would you distinguish the files created by different roles?
> 
> Yes, the plan is to use roles on objects.

(note: requires a kernel change)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I have begun merging XWindows Controls into Rawhide.

[Christopher J. PeBenito]

On Tue, 2008-02-26 at 08:57 -0500, Stephen Smalley wrote:
> On Tue, 2008-02-26 at 08:42 -0500, Christopher J. PeBenito wrote:
> > On Tue, 2008-02-26 at 20:26 +1100, Russell Coker wrote:
> > > On Tuesday 26 February 2008 07:17, Eamon Walsh <ewalsh@tycho.nsa.gov> wrote:
> > 
> > > > > This comes back to forthcoming effort for trying to use RBAC for role
> > > > > separation.  That would eliminate the structural complexity we see due
> > > > > to using TE for the role separation
> > > >
> > > > Is work being done on this?  I recall you said you were interested in
> > > > taking on this task.
> > > 
> > > Is this going to involve using roles on filesystem objects?  If not then how 
> > > would you distinguish the files created by different roles?
> > 
> > Yes, the plan is to use roles on objects.
> 
> (note: requires a kernel change)

Right, if you label a directory with a role other than object_r and
create a file in it, the file will get object_r.  Also theres some
userland changes so login programs set the role on the terminal, newrole
changes the role on the terminal, etc.  Now that I think about it, that
causes a problem for RHEL4 and even RHEL5 compatibility for upstream
refpolicy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.