Odd boolean in /etc/selinux/strict/booleans?
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 31 18:41:38 UTC 2005
Ivan Gyurdiev wrote:
>> I think we need to maybe stop marking
>>certain defined
>>domains as exec_type. To prevent all users from being able to execute
>>the application
>>without a transition.
>>
>>
>
>If you want to prevent all users from being able to execute the app
>w/out a transition, then disable_trans to false, and that should
>suffice, shouldn't it?
>
>
>
>>Even in your example I disable-trans for games
>>and then accidentally
>>run some game as sysadm, bad things can happen.
>>
>>
>
>So what you really want is to always transition for sysadm,
>regardless of what disable_trans is set to.
>
>if (! disable_games_trans) {
>domain_auto_trans($1_t, games_exec_t, $1_games_t)
>}
>ifelse($1, sysadm, `
>domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
>')
>
>
>
No that is only an example. I am thinking more to the attribute exec_type.
Every exec_t we are currently defining as exec_type which allows all
users (user_t, staff_t , sysadm_t)
to execute the app. If we want the app to be only executable by certain
users and to require a trans, we
need to eliminate the exec_type attribute on the exec_t.
One of the things that has been discussed with MLS is the idea of a
secadm for manipulating policy versus
a sysadm for doing everything else. The argument in the past was that
you could not properly isolate the two
so that a hostile user in one domain could not gain access to the other
domain. What I am thinking is not how
to prevent the hostile user but to prevent the accidental usage by a non
hostile user. So if we defined sysadm_r
as not being able to execute checkpolicy, load_policy and secadm_r not
able to execute anything but checkpolicy,
load_policy. We could at least force people to become cognizant of the
role they are in.
So if I am in secadm_r and I accidently try to run mozilla, it will give
me an error.
Dan
--
More information about the fedora-selinux-list
mailing list