[DSE-Dev] Bug#933858: (no subject)
Dominick Grift
dominick.grift at defensec.nl
Tue Aug 6 08:37:20 BST 2019
There is some history to all of this. Reference policy is a continuation of the NSA example policy.
The NSA example policy was a "strict" policy that aimed to enforce "least privilege".
Least privilege means that processes only get the permissions they need to do the job.
Much later on after Tresys took over the example policy from NSA and renamed it to reference policy. Red Hat invented the unconfined domain.
The early "targeted" Red Hat policy only had unconfined users (there was no sysadm_u/staff_u etc).
Later on the Fedora targeted policy got merged with Tresys strict reference policy.
The idea was that one could *optionally* allow unconfined domains, confined and unconfined domains *can optionally* live side by side but they werent intended to mingle.
You can make today's "targeted" policy "strict" by disabling the unconfined module.
sysadm is the confined (least privilege) equivalent to unconfined.
In theory that means that sysadm should be able to do pretty much anything that unconfined can do.
The difference between the two is that integrity is enforced in sysadm sessions (least privilege is enforced) where there is no integrity (least privilege) in unconfined sessions.
Enforcing some integrity in a session that should be able to virtually do anything is impossible, so as sysadm_u you will inevitably notice rought edges.
However with work, the situation for sysadm can improve but it will never be perfect.
If you so desire then you can give sysadm_u access to unconfined_r. However this was not the intended design.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
More information about the SELinux-devel
mailing list