Odd boolean in /etc/selinux/strict/booleans?

[Daniel J Walsh]

Ivan Gyurdiev wrote:

>> I think we need to maybe stop marking 
>>certain defined
>>domains as exec_type.  To prevent all users from being able to execute 
>>the application
>>without a transition. 
>>    
>>
>
>If you want to prevent all users from being able to execute the app
>w/out a transition, then disable_trans to false, and that should
>suffice, shouldn't it?
>
>  
>
>>Even in your example I disable-trans for games 
>>and then accidentally
>>run some game as sysadm, bad things can happen.
>>    
>>
>
>So what you really want is to always transition for sysadm,
>regardless of what disable_trans is set to.
>
>if (! disable_games_trans) { 
>domain_auto_trans($1_t, games_exec_t, $1_games_t)
>}
>ifelse($1, sysadm, `
>domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
>')
>
>  
>
No that is only an example.  I am thinking more to the attribute exec_type.

Every exec_t we are currently defining as exec_type which allows all 
users (user_t, staff_t , sysadm_t)
to execute the app.  If we want the app to be only executable by certain 
users and to require a trans, we
need to eliminate the exec_type attribute on the exec_t.

One of the things that has been discussed with MLS is the idea of a 
secadm for manipulating policy versus
a sysadm for doing everything else.  The argument in the past was that 
you could not properly isolate the two
so that a hostile user in one domain could not gain access to the other 
domain.  What I am thinking is not how
to prevent the hostile user but to prevent the accidental usage by a non 
hostile user.  So if we defined sysadm_r
as not being able to execute checkpolicy, load_policy and secadm_r not 
able to execute anything but checkpolicy,
load_policy.  We  could at least force people to become cognizant of the 
role they are in. 

So if I am in secadm_r and I accidently try to run mozilla, it will give 
me an error.

Dan

--