1 |
On Tue, Jul 15, 2014 at 06:02:32PM +0000, Sven Vermeulen wrote: |
2 |
> jump into the proper changes (together with perfinion and other developers), |
3 |
^.^ |
4 |
|
5 |
> Role segregation |
6 |
> ================ |
7 |
> |
8 |
> Which roles to make available? |
9 |
> ------------------------------ |
10 |
> |
11 |
> My opinion: I don't mind to support them all (i.e. document the use and the |
12 |
> principles behind them and making these roles available through the base |
13 |
> policy). I have most of them (except logadm_r) running on all my production |
14 |
> systems anyway so I might as well support them through Gentoo Linux. |
15 |
|
16 |
The ones that are in refpolicy are probably not hard to support. The issue is |
17 |
more of what type of machine it is. My things are all mostly personal machines |
18 |
so I dont want to have 10 different accounts and keep changing between for |
19 |
single commands. For companies tho I can definitely see them using all the |
20 |
roles for different people in the company. Currently if people want to use all |
21 |
of them they will need a lot of work because we dont provide much for it. |
22 |
|
23 |
Do we happen to have any information about big installations that use |
24 |
gentoo and selinux and what their use-cases are? |
25 |
|
26 |
> Differentiation between staff_r and user_r? |
27 |
> ------------------------------------------- |
28 |
> |
29 |
> Depending on the outcome of the previous question, there are two approaches |
30 |
> to take between staff_r and user_r: |
31 |
> |
32 |
> 1. Have staff_r and user_r remain "in sync" with just the newrole_t |
33 |
> difference, or |
34 |
> 2. Only support "less risky" domains in staff_r and reduce user domain |
35 |
> privileges |
36 |
|
37 |
I personally use staff_r as my main account and do not use user_r at all |
38 |
so I just end up having an extra policy which enables things that are |
39 |
in user but not staff (wine, dropbox etc) on my laptop. Im not sure what |
40 |
the right way to do things for this is. I think having most of the |
41 |
things the same in staff/user is not that big of a deal since if you |
42 |
dont have sec-policy/selinux-dropbox installed, the optional() block |
43 |
just disappears. Although if someone can install packages then it |
44 |
suddenly gets enabled but I think at that point it is already game over. |
45 |
|
46 |
> Init script support |
47 |
> =================== |
48 |
> |
49 |
> Transparent full system administration? |
50 |
> --------------------------------------- |
51 |
> |
52 |
> So not this: ~# run_init rc-service nfs start |
53 |
> But this: ~# rc-service nfs start |
54 |
|
55 |
This is sort of annoying honestly, Im in favour of removing run_init in |
56 |
front and make it just happen automatically. That said, I do like that |
57 |
it can authenticate (I like it on my server since I dont restart things |
58 |
much but dislike it on my laptop where I have less running and start |
59 |
them manually when I need them. I think we should integrate this into |
60 |
openrc directly but ideally i'd like to be able to keep the pam |
61 |
authentication parts of it so that people can choose if they want to |
62 |
type the password or not. |
63 |
|
64 |
I also saw someone having issues with puppet or one of those cuz it just |
65 |
ran the script and adding run_init in front was complicated. |
66 |
|
67 |
> sysadm_r for System operational administration only? |
68 |
> ---------------------------------------------------- |
69 |
|
70 |
This seems like it would be a big hurdle for most new (and old?) users. |
71 |
If we enable more of the roles from above then perhaps there can be some |
72 |
roles that are disallowed it but I think changing the current behavior |
73 |
is a little strange. |
74 |
|
75 |
> Follow the Gentoo-is-about-choice paradigm and support both through USE? |
76 |
> ------------------------------------------------------------------------ |
77 |
|
78 |
There is currently a use-flag for unconfined, making similar useflags |
79 |
(or a use_expand?) for how the roles should be used sounds like the |
80 |
easiest way. If people install with the defaults they get staff/sysadm |
81 |
like exist currently but if they enable some of the other roles then |
82 |
maybe sysadm would lose some of its privs to that other role. (eg enable |
83 |
secadm and sysadm is no longer able to change the policy) |
84 |
|
85 |
> Disadvantages: implementation possibilities are reduced (but hey, what do |
86 |
> you care, right?) |
87 |
|
88 |
How are they reduced? You mean ways to implement the policy or ways to |
89 |
use it as a user? How much more complicated would this become for the |
90 |
policy? |
91 |
|
92 |
-- Jason |