Drawing lessons from fatal SELinux bug #1054350
Kevin Kofler
kevin.kofler at chello.at
Fri Jan 24 12:56:55 UTC 2014
drago01 wrote:
> The "feature" is called security. By your logic everyone should be
> root,
For home user machines, that wouldn't necessarily be a bad thing (but it
would mean fixing the software that special-cases the root user improperly
for no good reason).
Alternatively, the kernel could be patched to give "admin users" (either
defined as members of the "wheel" group as now, or by some additional
property that would be set for the same users by default) some strategic
capabilities such as dac_override. That would also put an end to the endless
annoyance of having to sudo all the time. (And by the way, sudo and
PolicyKit actions should be allowed with no password (rather than the user
password as now) for wheel group members by default.) That way, you still
get the benefits from different accounts, e.g., different preferences per
family member, without the current restrictions imposed to "normal" users.
The endless password prompts make a lot of sense in controlled corporate
environments with dedicated system administrators, but on home machines,
they are just an unnecessary annoyance.
>> * SELinux works by shipping a "policy" that effectively tries to specify
>> in one single place (read: single point of failure!) everything any
>> program in Fedora (scalability disaster!) ever wants to do
>> (second-guessing its actual code, i.e., duplication of all logic!).
>
> That's not how it works not how it supposed to work. Please read on MAC.
Uh, I know how it works. The above is how I summarize it. If you think that
is incorrect, please explain HOW.
>> * An update to that SELinux policy was shipped that BREAKS the most
>> critical tools in Fedora, the ones required to update the system and thus
>> install the fixes for any regressions, including the very regression that
>> caused the breakage. And also any automated workarounds are blocked by
>> design.
>
> No idea what "automated workaround" means but there are other ways to
> deal with it see Colin's post.
A %pretrans scriptlet that fixes the problem without manual user
intervention (other than OKing the update). But SELinux won't allow RPMs to
mess with it that way (especially without invoking an external executable,
which is blocked by the faulty policy) because it would defeat its flawed
security model.
> Yeah so we should find out why this happened and improve the testing
> procedures to not let it happen in the feature (again see Colin's mail).
NO amount of testing is going to prevent regressions from happening
occasionally. This means:
* we need to eliminate common sources of regressions such as SELinux, to
prevent whole classes of regressions from occurring in the first place
(prevention is better than duct tape!) and
* we have to accept that regressions can always happen and allow for fast
fixes to those regressions (direct stable pushes).
>> So, what needs to happen:
>> * SELinux must be disabled (or preferably, not installed in the first
>> place, to avoid wasting space for nothing) by default! Just consider the
>> benefits (none!)
>
> As stated above that's not true.
As stated above, that IS true. :-)
>> * The Update Policies must be repealed. This regression has shown us that
>> not only they totally failed at preventing it, but they are actively
>> contributing to exposing MORE users to broken updates by delaying
>> regression fixes. (This kind of regression fixes needs to go out DIRECTLY
>> to stable!)
>
> This is a contradiction "our current testing didn't find the bug so
> how about we do no testing at all".
There is no contradiction. Doing away with policies that do not work is
perfectly logical, as is allowing quick regression fixes because regressions
do happen no matter how much you test.
Kevin Kofler
More information about the devel
mailing list