Fedora 11: moving to posix file capabilities?
Steve Grubb
sgrubb at redhat.com
Wed Oct 29 20:39:59 UTC 2008
On Wednesday 29 October 2008 15:25:15 Colin Walters wrote:
> On Wed, Oct 29, 2008 at 3:13 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> > 1) We've spent a lot of time on getting audit right. We can tell what
> > account was logged in under and find every single application that was
> > started as a result of that login. Message passing breaks this.
>
> True, though how interesting is the question of "what binaries were
> executed" as opposed to the system having enough intelligence to
> display security-relevant information?
Not sure I follow your question. I am talking about /proc/<pid>/loginuid and
sessionid.
> > 2) There is no accountability for what actions are performed for each
> > user. The audit system cannot tell who something was done for.
>
> Should be easy to add such auditing; actually I think we do want to
> have dbus audit on system activation regardless of PolicyKit.
Again I'm talking about loginuid and sessionid.
> > 3) There is yet another MAC policy with no auditing of access decisions.
>
> Duplicate of 2)?
No this is about PolicyKit being another MAC system that needs configuring.
> As for the sysadmin impact, yes, there is a concern there but
> there is documentation:
> http://hal.freedesktop.org/docs/PolicyKit/PolicyKit.conf.5.html
Where's the GUI or commandline tool that lets me configure it? I may need to
have auditing of who changed what entry in that file. When I chmod 4755 a
program, I know who changed it, what the old and new values are, when they
did it, and what the outcome was.
> Anyways, I don't want to completely derail this discussion on fcap
> into suid-vs-PolicyKit;
True...but this is a discussion that needs to be had so that it can be fixed.
Auditing from user space is not trustworthy and that's why its done from the
kernel. A user space daemon making access control decisions will not be
something I want to see getting spread into things that are part of the next
CC evaluation.
-Steve
More information about the fedora-devel-list
mailing list