[refpolicy] Policy modules design guidelines?

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 1/17/2011 2:39 PM, Dominick Grift wrote:
> On 01/17/2011 08:17 PM, Christopher J. PeBenito wrote:
>> On 1/17/2011 10:07 AM, Dominick Grift wrote:
>>> I do agree that derived domain types add flexibility/complexity but i do
>>> not see how rbac can replace some of the functionality that prefixed
>>> domains and type enforcement provides (e.g. enforce policy for a
>>> application based on who runs the application (role prefix)
>>
>> Of course it can't replace all possible uses, but it does replace all
>> upstream instances, save the ones where there are execution path issues
>> like su, sudo, and screen.
>>
>> For example, the mozilla policy was exactly the same for all roles,
>> except each only accessed the role-specific home dir, X window, etc.  If
>> all objects in the system have an appropriate role in their context,
>> each instance of mozilla can be cleanly separated by role.
>
> think of all the nice use cases you can have with prefixed domains
> like secmark and many other use cases.
>
> staff_mozilla_t can use firefox to send recv external packets
> user_mozilla_t can use firefox to only send recv internal packets.
>
> staff_mozilla_t can run plugins
> user_mozilla_t cannot run plugins
>
> etc etc.
>
> remember the mozilla_$1... boolean we had?

As I have said before, it was a trade off.  It was discussed and what we 
have is the result of the decision.  I'm sorry it does not match your 
goals perfectly.

>>> Any gui user application should be prefixed in my view because they can
>>> all be run from nautilus and or gpanel (launchers). And if you confine
>>> either gpanel or nautilus there is no way to tell selinux who runs the
>>> application (other then nautilus or gpanel), and we cannot make any
>>> distinction.
>>>
>>> On top of that the prefixed type gives me the flexibility to create
>>> prefixed booleans. It allows me to customize a userdomain by just
>>> toggling a few booleans.
>>>
>>> currently for me role prefixes for domain types proves to be invaluable
>>> in my pursuit to confine the user space.
>>
>> Of course people can still do this for their custom policies.  However,
>> upstream is pragmatic with its usage.  The actual security gains by the
>> complexity you suggest tends to be dubious.  As long as that is the
>> case, we'll chose simpler policy.
>>
>
> In my view, upstream should in this case probably ignore/exclude user
> applications all together, no offence. Either she facilitates user space
> confinement or she does not, no dead ends or false hope for integrity on
> the desktop.

That is a black-or-white logical fallacy.  Upstream IS facilitating 
confinement.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com