We have a pretty big bug between SELinux and the User Namespace

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: SELinux <selinux@tycho.nsa.gov>
Subject: We have a pretty big bug between SELinux and the User Namespace
Date: Thu, 10 Mar 2016 14:27:44 -0500	[thread overview]
Message-ID: <56E1CAB0.9020002@redhat.com> (raw)

But our people have limited time to work on it, it has been back 
burner-ed since last summer.

https://bugzilla.redhat.com/show_bug.cgi?id=1236256

Basically User Namespace introduces a new concept of Namespaced 
capabilities.  SELinux currently blocks the use of all capabilities
and does not differentiate.  If someone is looking to cut their teeth on 
Kernel and Security work, I think it would be a good project
to try to differentiate in policy and the kernel between the two 
Capabilities.

The current problem I am seeing is with a confined user.  staff_t does 
not have any capabilities, but when he runs Chrome, it uses
usernamespace to isolate the chrome_sandbox and protect the host. Non 
privilege users on Fedora are allowed to setup User Namespaces
but some of the activity of setting up the User Namespace requires 
Namespaced SYS_ADMIN.  Since SELinux blocks SYS_ADMIN for staff_t
I can not run Chrome with out temporarily setenforce 0, or adding 
SYS_ADMIN to staff_t.  Neither is an attractive solution.

Wearing my best Tom Sawyer hat, white washing this fence would be fun.

Anyone want to take a shot?

Dan

                 reply	other threads:[~2016-03-10 19:27 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56E1CAB0.9020002@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.