| 1 |
On 5/2/2011 3:26 PM, Sven Vermeulen wrote: |
| 2 |
> sec-policy/selinux-base-policy-2.20101213-r13 is pushed to the overlay. The |
| 3 |
> most notable change here is that the ebuild now uses a local USE flag "ubac" |
| 4 |
> which enables User Based Access Control within the policy. |
| 5 |
> |
| 6 |
> Previously, UBAC was enabled but could not be disabled. However, most other |
| 7 |
> distributions have disabled UBAC and are waiting for the RBAC model within |
| 8 |
> SELinux to improve. Although this work is on the way, it isn't there yet and |
| 9 |
> I personally do not dislike the UBAC idea. |
| 10 |
> |
| 11 |
> However, we have at least one issue that was difficult to debug due to UBAC: |
| 12 |
> the vixie-cron "ENTRYPOINT FAILED" messages. Apparently, vixie-cron checks |
| 13 |
> the privileges on the users' crontab. However, if the root crontab wasn't |
| 14 |
> created by a console-logged-on root user (SELinux identity "root") but |
| 15 |
> through a su(do)'ed user (SELinux identity "staff_u" most likely), then the |
| 16 |
> UBAC kicked in and didn't allow cron to work. |
| 17 |
> |
| 18 |
> Although the solution is simple (either create the root cronjob through the |
| 19 |
> root SELinux identity, or change the SELinux identity of the crontab file to |
| 20 |
> "root" afterwards), disabling UBAC also works here. |
| 21 |
> |
| 22 |
> We had a small discussion on #gentoo-hardened and a larger discussion on |
| 23 |
> #selinux about UBAC. Nice as we are, we of course do not want to force any |
| 24 |
> choice upon our users, so we decided to see if we can work with a USE flag |
| 25 |
> to switch the UBAC functionality. The only remaining discussion is if we |
| 26 |
> want to have this USE flag enabled by default, or not. If we want to enable |
| 27 |
> it by default, we should work with the pending upgrade of the profiles to do |
| 28 |
> so. But imo, we do not really have to enable it by default. |
| 29 |
|
| 30 |
I can't disagree with this more vehemently. This should not be made a |
| 31 |
USE flag. If the user doesn't want role separations, then they should |
| 32 |
be using unconfined users. Making this an option means users |
| 33 |
unwittingly neuter the role separation by eliminating app, home |
| 34 |
directory, temp directory, etc. separations. |
| 35 |
|
| 36 |
This is a wrong band-aid fix for the cron issue. It sounds like the |
| 37 |
cron code needs to be fixed. |
| 38 |
|
| 39 |
-- |
| 40 |
Chris PeBenito |
| 41 |
<pebenito@g.o> |
| 42 |
Developer, |
| 43 |
Hardened Gentoo Linux |
Archives