Re: staff_r

[Dominick Grift <dominick.grift@defensec.nl>]

Russell Coker <russell@coker.com.au> writes:

> Is there any point to staff_r?
>
> Currently it is a long way from usable for GUI sessions.
>
> For terminal sessions the isolation between staff_r and user_r is matched by 
> the isolation between user identities.

The idea, I believe, is that the difference between user_t and staff_t
is that the latter has access to privileges via su, sudo and
etc. staff_t is user user_t with access to root.

Practically that makes staff_r useful for confined
administration. Whereas user_t is not useful for that because user_t
cannot gain root.

These days things are more complicated with other ways to gain
privileges like policykit and others but the essence is, AFAIK, still
the same and even though systemd and others can leverage policykit even
in a non-gui environment it is still optional functionality.

>
> The role transition rules generally aren't used for anything and the roles 
> permitted to an identity determine what role transitions can be used.
>
> The vast majority of use of the reference policy is for "targeted" 
> configurations without even using user_r.
>
> Is there any reason for keeping staff_r?

Reference policy is a hybrid between strict and targeted. You can remove
or disable the targeted aspect and effectively enforce a strict policy
and this is where these confined login user domains are essential.

-- 
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl