Odd boolean in /etc/selinux/strict/booleans?

Daniel J Walsh dwalsh at redhat.com
Thu Mar 31 18:41:38 UTC 2005

Ivan Gyurdiev wrote:

>> I think we need to maybe stop marking 
>>certain defined
>>domains as exec_type.  To prevent all users from being able to execute 
>>the application
>>without a transition. 
>If you want to prevent all users from being able to execute the app
>w/out a transition, then disable_trans to false, and that should
>suffice, shouldn't it?
>>Even in your example I disable-trans for games 
>>and then accidentally
>>run some game as sysadm, bad things can happen.
>So what you really want is to always transition for sysadm,
>regardless of what disable_trans is set to.
>if (! disable_games_trans) { 
>domain_auto_trans($1_t, games_exec_t, $1_games_t)
>ifelse($1, sysadm, `
>domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
No that is only an example.  I am thinking more to the attribute exec_type.

Every exec_t we are currently defining as exec_type which allows all 
users (user_t, staff_t , sysadm_t)
to execute the app.  If we want the app to be only executable by certain 
users and to require a trans, we
need to eliminate the exec_type attribute on the exec_t.

One of the things that has been discussed with MLS is the idea of a 
secadm for manipulating policy versus
a sysadm for doing everything else.  The argument in the past was that 
you could not properly isolate the two
so that a hostile user in one domain could not gain access to the other 
domain.  What I am thinking is not how
to prevent the hostile user but to prevent the accidental usage by a non 
hostile user.  So if we defined sysadm_r
as not being able to execute checkpolicy, load_policy and secadm_r not 
able to execute anything but checkpolicy,
load_policy.  We  could at least force people to become cognizant of the 
role they are in. 

So if I am in secadm_r and I accidently try to run mozilla, it will give 
me an error.



More information about the fedora-selinux-list mailing list