1 |
On 5/2/2011 3:26 PM, Sven Vermeulen wrote: |
2 |
> sec-policy/selinux-base-policy-2.20101213-r13 is pushed to the overlay. The |
3 |
> most notable change here is that the ebuild now uses a local USE flag "ubac" |
4 |
> which enables User Based Access Control within the policy. |
5 |
> |
6 |
> Previously, UBAC was enabled but could not be disabled. However, most other |
7 |
> distributions have disabled UBAC and are waiting for the RBAC model within |
8 |
> SELinux to improve. Although this work is on the way, it isn't there yet and |
9 |
> I personally do not dislike the UBAC idea. |
10 |
> |
11 |
> However, we have at least one issue that was difficult to debug due to UBAC: |
12 |
> the vixie-cron "ENTRYPOINT FAILED" messages. Apparently, vixie-cron checks |
13 |
> the privileges on the users' crontab. However, if the root crontab wasn't |
14 |
> created by a console-logged-on root user (SELinux identity "root") but |
15 |
> through a su(do)'ed user (SELinux identity "staff_u" most likely), then the |
16 |
> UBAC kicked in and didn't allow cron to work. |
17 |
> |
18 |
> Although the solution is simple (either create the root cronjob through the |
19 |
> root SELinux identity, or change the SELinux identity of the crontab file to |
20 |
> "root" afterwards), disabling UBAC also works here. |
21 |
> |
22 |
> We had a small discussion on #gentoo-hardened and a larger discussion on |
23 |
> #selinux about UBAC. Nice as we are, we of course do not want to force any |
24 |
> choice upon our users, so we decided to see if we can work with a USE flag |
25 |
> to switch the UBAC functionality. The only remaining discussion is if we |
26 |
> want to have this USE flag enabled by default, or not. If we want to enable |
27 |
> it by default, we should work with the pending upgrade of the profiles to do |
28 |
> so. But imo, we do not really have to enable it by default. |
29 |
|
30 |
I can't disagree with this more vehemently. This should not be made a |
31 |
USE flag. If the user doesn't want role separations, then they should |
32 |
be using unconfined users. Making this an option means users |
33 |
unwittingly neuter the role separation by eliminating app, home |
34 |
directory, temp directory, etc. separations. |
35 |
|
36 |
This is a wrong band-aid fix for the cron issue. It sounds like the |
37 |
cron code needs to be fixed. |
38 |
|
39 |
-- |
40 |
Chris PeBenito |
41 |
<pebenito@g.o> |
42 |
Developer, |
43 |
Hardened Gentoo Linux |