I am almost done sketching the outlines of DSSP3. I need some time to audit the things i did though. Today when perusing some of the functionality I hit an issue with name-based type transitions. Might be a bug. Sure looks like it. So yes bummer but the show must go on. So i have the basic system domain ready. Just need to start targeting more and more system services. I did a few so far just enough to get the system to boot in enforcing mode and with some basic stuff address properly. Networkd, Resolved, Logind, Login, Getty, SSH server and a few more, also chkpwd and updpwd as that is used by PAM. System logins are allowed by default, but can be disabled with the login.sys_login and ssh.daemon.sys_login booleans respectively. There is an unpriv user account user.id, and one with sudo access to the system accound wheel.id. All unpriv users share the same login shell permissions with one exception: role access. The wheel.role may associate with sudo.subj, where the user.role may not. Ive revisited my RBACSEP and man it gets complicated really quick. Roles need to be allowed to associate with types, but the idea was that I did not want to give roles a carte blanche to just go and associate with all object types (I did that in DSSP2 and it makes thinks a lot easier) So now I am constantly identifying system objects that users need be able to create objects on. Examples are extended attribute file systems in general. Then theres the constraints. RBACSEP constrained roles arent allowed to write to system files unless explicity told otherwise. They can read all for a RBACSEP perspective, just no write operations. Exceptions are: /dev/tty, /dev/zero, various sock files (dbus for example), but also selinuxfs files (yes selinuxfs has files that are widely writable)
The RBACSEP implementation is very expensive in DSSP3 and now I remember why I decided to cut some corners there in DSSP2. There were quit a few deju vu moments for me so far. The next step is to address confined privileged roles, and then its just a matter of “porting” stuff. Eventually I will probably migrate to DSSP3. DSSP3 can be tuned to be pretty strict with some work but by default its is very open. Also the system domain is very broad but it makes things so much easier. I am getting used to the DSSP3 policy design and I am starting to really appreciate some of the decisions I made.
Regardless, after I took care of the basics for confined privileged roles, the focus will be on wheel.id and on system services (short and long)