From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from markus.defensec.nl (markus.defensec.nl [45.80.168.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B624B3A6B6F for ; Wed, 13 May 2026 11:25:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.80.168.93 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778671518; cv=none; b=scSriEhLVyajodCqJT+oOPBYhOseok+M3kHdNI+Ua04nGHn+5ah1yE8OEl0x7+im9HIn0Wl4PLIwdYx0BPQyh6reGkePjLnleCR3Ks1tfSYv81zTe3hSsosgxOYnUt0q1RdPA5h5YACDqgVQ4stdXBDOxCg3Mss8MDeGjPjpNpY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778671518; c=relaxed/simple; bh=7aidkHGXmjW8wuZFu2/nOqd+77OhNzonECrtXnY4mBA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=GzaxSvRgK3mfRFFSC0DcE4K/DcakDW92dqviDjcoFiDwAF120Nu+C+QG2lQxwyvzZ/IEbKRAcozvQ8Z/yy+0FxeYAGfomszP75crOv6Jc9mBjvYp6rrOX4k0hGIQ3gTtrxq6p8fR908jDF19G8qdEwsFR2KbpCrXebNeTlcDEJA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl; spf=pass smtp.mailfrom=defensec.nl; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b=DEx7AV6Y; arc=none smtp.client-ip=45.80.168.93 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=defensec.nl Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="DEx7AV6Y" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1778671222; bh=7aidkHGXmjW8wuZFu2/nOqd+77OhNzonECrtXnY4mBA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=DEx7AV6YxIXdxWAyp/m1kJAe0+A3Tvg5KFXI512ZYjV7CtW/ppLnCSZrFNRpmTBrO OUS+TGvdY1I+lzV16QIrp1jX3vKdHWq0ek/p8mpH9J9vlmtIIQsblWqO1soXTj3uGb NtXPU19sRcGgL4+o5Tg+lOfzVwfrLEHYoKz/F9MM= Received: from nimbus (nimbus.defensec.nl [IPv6:2a10:3781:2099::514]) by markus.defensec.nl (Postfix) with ESMTPSA id 2AC8929E27D; Wed, 13 May 2026 13:20:22 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: staff_r In-Reply-To: <3505047.e9J7NaK4W3@dojacat> (Russell Coker's message of "Wed, 13 May 2026 21:04:03 +1000") References: <3505047.e9J7NaK4W3@dojacat> Date: Wed, 13 May 2026 13:20:21 +0200 Message-ID: <87zf23imiy.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain Russell Coker writes: > Is there any point to staff_r? > > Currently it is a long way from usable for GUI sessions. > > For terminal sessions the isolation between staff_r and user_r is matched by > the isolation between user identities. The idea, I believe, is that the difference between user_t and staff_t is that the latter has access to privileges via su, sudo and etc. staff_t is user user_t with access to root. Practically that makes staff_r useful for confined administration. Whereas user_t is not useful for that because user_t cannot gain root. These days things are more complicated with other ways to gain privileges like policykit and others but the essence is, AFAIK, still the same and even though systemd and others can leverage policykit even in a non-gui environment it is still optional functionality. > > The role transition rules generally aren't used for anything and the roles > permitted to an identity determine what role transitions can be used. > > The vast majority of use of the reference policy is for "targeted" > configurations without even using user_r. > > Is there any reason for keeping staff_r? Reference policy is a hybrid between strict and targeted. You can remove or disable the targeted aspect and effectively enforce a strict policy and this is where these confined login user domains are essential. -- gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcinimod@defensec.nl