[refpolicy] Question: and the policy grows...

[dwalsh@redhat.com (Daniel J Walsh)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/17/2011 09:50 AM, Guido Trentalancia wrote:
> Hello everybody !
> 
> I have a question which I believe is quite interesting.
> 
> I often get on and off the list because of a lack of time, but I have
> noticed that most (if not all) of the patches that have been submitted
> to refpolicy in the last period of time, including a few patches that I
> have submitted, were intended to improve usability and were going to add
> new permissions to this or that policy module (it's always diff +).
> 
> So, the policy grows... and becomes weaker (less tight and secure),
> although hopefully more usable.
> 
> If this trends continues the policy will just become weaker and weaker
> with time and this might not always be backed by an increased usability.
> 
> I would even expect that some of the permissions added long time ago and
> still present in the policy are no longer needed by more recent versions
> of the same packages. And usually backwards compatibility (for very old
> package versions) is not something which should be guaranteed forever...
> 
> So my question is: who is going to take care of periodically trimming
> down the permissions in refpolicy that are no longer needed (keep the
> policy tight) ? But more importantly how is this going to be done
> technically (the methodology) ?
> 
> Thanks for your time !
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

Great question.  I think one problem we have is that refpolicy is a one
size fits all system.  Upstream has decided to maintain policy in such a
way that it would continue to work on Ancient distributions (RHEL4),  So
removing Access could break older distributions.

On thing that refpolicy has not adopted is the use of inherited file
descriptors versus files descriptors opened by applications.

For example, we have lots of code that allows confined applications to
open terminals.  I would bet that almost no confined processes ever open
a terminal.  And yet the ability to open a terminal can give you a
communications channel to attack other confined processes or even the
confined user.

If  you put the prompt passwd: in front of me in a terminal, my fingers
will type my password before my brain can stop them.  :^)

Why not remove open from all tty handling.  Then confined apps can only
use ttys that are passed to them from parent processes.

Another big change I have put into Fedora policy is the ability to turn
off access to ldap for apps that need auth_use_nsswitch().  (Which turns
out to be just about all confined domains.)

getsebool -a | grep ldap
authlogin_nsswitch_use_ldap --> on

On RHEl6 and all Fedoras you can do this even if the system is using
ldap for passwd, since Fedora and RHEL6 use sssd for authorization and
passwd now.

Other cleanups like turning off unlabelednet.pp, unconfined.pp, While
leaving unconfined_t users, cleaning up corenet_*_all_nodes and
corenet_*all_if need to be done.

But it is very difficult to remove access that was granted, since no one
wants more bugs.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2CGdkACgkQrlYvE4MpobOi4ACeMEu26NsyLuMBf2RA20T2ULMg
8K0An0TlyQzP7KBvEF2HV1Wb2rHXU+SY
=Vo9d
-----END PGP SIGNATURE-----