Re: [atomic-devel] A new policy rpm for Atomic?

[Miroslav Grepl <mgrepl redhat com>]

On 06/28/2016 01:12 PM, Daniel J Walsh wrote:
> 
> 
> On 06/27/2016 02:04 AM, Miroslav Grepl wrote:
>> Hi guys,
>> I am finally looking for opened Atomic issues with SELinux for what we
>> came with seatomic and I want to move it forward. My idea is we could
>> start to ship selinux-policy-atomic.rpm based on the
>> selinux-policy-targeted where we could reduce the number of types and
>> add possible needed changes.
>>
>> For example
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1309075
>>
>> is a good example. If we add a new label we will have an issue because
>> we don't have "mac_admin" for unconfined_service_t.
>>
>> So we could start to discuss how it is possible to ship new policy on
>> Atomic to solve these urgent issues.
>>
>> Can you think guys about a way how to do it? Can you identify possible
>> issues with that?
>>
>>
>> Thank you,
>>
> I guess we could ask is it important or not.  The main reason to stop
> unconfined processes
> from having mac_admin is to stop typos when a user does something like
> 
> chcon -t http_sys_content_t badexample.html
> 
> Probably not something that will often be done on atomic platform. Other
> option is to just have
> install_t and install_exec_t and only give this to the domains that
> atomic host uses for installing new versions
> of policy.
> 
> Handling docker and container context will be interesting, since we
> could finally break away from badly named
> types like svirt_lxc_net_t and svirt_sandbox_file_t. (container_net_t
> and container_image_t?)

Yes and we can do that also with the current language. My point is we
need to find a way how to replace the current
selinux-policy-targeted.rpm on Atomic by a new selinux-policy-atomic.rpm
as a first important step to get a new policy on Atomic.



-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.