Re: Odd boolean in /etc/selinux/strict/booleans?

Ivan Gyurdiev wrote:

> > I think we need to maybe stop marking 
> > certain defined
> > domains as exec_type.  To prevent all users from being able to execute 
> > the application
> > without a transition. 
> >    
> If you want to prevent all users from being able to execute the app
> w/out a transition, then disable_trans to false, and that should
> suffice, shouldn't it?
>
>  
>
> > Even in your example I disable-trans for games 
> > and then accidentally
> > run some game as sysadm, bad things can happen.
> >    
> So what you really want is to always transition for sysadm,
> regardless of what disable_trans is set to.
>
> if (! disable_games_trans) { 
> domain_auto_trans($1_t, games_exec_t, $1_games_t)
> }
> ifelse($1, sysadm, `
> domain_auto_trans(sysadm_t, games_exec_t, sysadm_games_t)
> ')
>
>  
No that is only an example.  I am thinking more to the attribute exec_type.

Every exec_t we are currently defining as exec_type which allows all 
users (user_t, staff_t , sysadm_t)
to execute the app.  If we want the app to be only executable by certain 
users and to require a trans, we
need to eliminate the exec_type attribute on the exec_t.

One of the things that has been discussed with MLS is the idea of a 
secadm for manipulating policy versus
a sysadm for doing everything else.  The argument in the past was that 
you could not properly isolate the two
so that a hostile user in one domain could not gain access to the other 
domain.  What I am thinking is not how
to prevent the hostile user but to prevent the accidental usage by a non 
hostile user.  So if we defined sysadm_r
as not being able to execute checkpolicy, load_policy and secadm_r not 
able to execute anything but checkpolicy,
load_policy.  We  could at least force people to become cognizant of the 
role they are in. 

So if I am in secadm_r and I accidently try to run mozilla, it will give 
me an error.
Dan

--