| 1 |
On Tue, Jul 15, 2014 at 06:02:32PM +0000, Sven Vermeulen wrote: |
| 2 |
> jump into the proper changes (together with perfinion and other developers), |
| 3 |
^.^ |
| 4 |
|
| 5 |
> Role segregation |
| 6 |
> ================ |
| 7 |
> |
| 8 |
> Which roles to make available? |
| 9 |
> ------------------------------ |
| 10 |
> |
| 11 |
> My opinion: I don't mind to support them all (i.e. document the use and the |
| 12 |
> principles behind them and making these roles available through the base |
| 13 |
> policy). I have most of them (except logadm_r) running on all my production |
| 14 |
> systems anyway so I might as well support them through Gentoo Linux. |
| 15 |
|
| 16 |
The ones that are in refpolicy are probably not hard to support. The issue is |
| 17 |
more of what type of machine it is. My things are all mostly personal machines |
| 18 |
so I dont want to have 10 different accounts and keep changing between for |
| 19 |
single commands. For companies tho I can definitely see them using all the |
| 20 |
roles for different people in the company. Currently if people want to use all |
| 21 |
of them they will need a lot of work because we dont provide much for it. |
| 22 |
|
| 23 |
Do we happen to have any information about big installations that use |
| 24 |
gentoo and selinux and what their use-cases are? |
| 25 |
|
| 26 |
> Differentiation between staff_r and user_r? |
| 27 |
> ------------------------------------------- |
| 28 |
> |
| 29 |
> Depending on the outcome of the previous question, there are two approaches |
| 30 |
> to take between staff_r and user_r: |
| 31 |
> |
| 32 |
> 1. Have staff_r and user_r remain "in sync" with just the newrole_t |
| 33 |
> difference, or |
| 34 |
> 2. Only support "less risky" domains in staff_r and reduce user domain |
| 35 |
> privileges |
| 36 |
|
| 37 |
I personally use staff_r as my main account and do not use user_r at all |
| 38 |
so I just end up having an extra policy which enables things that are |
| 39 |
in user but not staff (wine, dropbox etc) on my laptop. Im not sure what |
| 40 |
the right way to do things for this is. I think having most of the |
| 41 |
things the same in staff/user is not that big of a deal since if you |
| 42 |
dont have sec-policy/selinux-dropbox installed, the optional() block |
| 43 |
just disappears. Although if someone can install packages then it |
| 44 |
suddenly gets enabled but I think at that point it is already game over. |
| 45 |
|
| 46 |
> Init script support |
| 47 |
> =================== |
| 48 |
> |
| 49 |
> Transparent full system administration? |
| 50 |
> --------------------------------------- |
| 51 |
> |
| 52 |
> So not this: ~# run_init rc-service nfs start |
| 53 |
> But this: ~# rc-service nfs start |
| 54 |
|
| 55 |
This is sort of annoying honestly, Im in favour of removing run_init in |
| 56 |
front and make it just happen automatically. That said, I do like that |
| 57 |
it can authenticate (I like it on my server since I dont restart things |
| 58 |
much but dislike it on my laptop where I have less running and start |
| 59 |
them manually when I need them. I think we should integrate this into |
| 60 |
openrc directly but ideally i'd like to be able to keep the pam |
| 61 |
authentication parts of it so that people can choose if they want to |
| 62 |
type the password or not. |
| 63 |
|
| 64 |
I also saw someone having issues with puppet or one of those cuz it just |
| 65 |
ran the script and adding run_init in front was complicated. |
| 66 |
|
| 67 |
> sysadm_r for System operational administration only? |
| 68 |
> ---------------------------------------------------- |
| 69 |
|
| 70 |
This seems like it would be a big hurdle for most new (and old?) users. |
| 71 |
If we enable more of the roles from above then perhaps there can be some |
| 72 |
roles that are disallowed it but I think changing the current behavior |
| 73 |
is a little strange. |
| 74 |
|
| 75 |
> Follow the Gentoo-is-about-choice paradigm and support both through USE? |
| 76 |
> ------------------------------------------------------------------------ |
| 77 |
|
| 78 |
There is currently a use-flag for unconfined, making similar useflags |
| 79 |
(or a use_expand?) for how the roles should be used sounds like the |
| 80 |
easiest way. If people install with the defaults they get staff/sysadm |
| 81 |
like exist currently but if they enable some of the other roles then |
| 82 |
maybe sysadm would lose some of its privs to that other role. (eg enable |
| 83 |
secadm and sysadm is no longer able to change the policy) |
| 84 |
|
| 85 |
> Disadvantages: implementation possibilities are reduced (but hey, what do |
| 86 |
> you care, right?) |
| 87 |
|
| 88 |
How are they reduced? You mean ways to implement the policy or ways to |
| 89 |
use it as a user? How much more complicated would this become for the |
| 90 |
policy? |
| 91 |
|
| 92 |
-- Jason |
Archives