Security enthusiasts wanted: from beginners up to SELinux experts to make up the SELinux "Confined Users (SIG)" to foster Fedora's security capabilities

Well, you can test confined user accounts to get some understanding of SELinux and to contribute to Fedora, and if “things” that work without confinement do not work with confinement, you get the related data and open a ticket at our SELinux team’s GitHub repo so that we achieve at some point that confined user accounts work as good as none-confined-accounts.

But you can also use confined user accounts in production (I do so) because they are already “usable” (but with restrictions) and provide much more security than unconfined accounts. Especially when you handle private/classified information, you have to be aware that in graphical desktop environments, you “more or less” trust all processes that run in the GUI. This poses a risk that can be mitigated with confined users. However, at the moment, as mentioned, there are restrictions on Fedora, and it would be cool to get rid of these restrictions (which first means to identify them) at some point to also enable average users to use confinement :wink:

In any case, if policies look good despite a denial, or if something that used to work does no longer work after an update, it might be worth to think if this is really a SELinux issue, or if the package has a problem. If the latter is true or indicated, this is a normal bug report at bugzilla or so (of course the environment in which an issue occurs needs to be described, which then includes the confinement).

Thus, this is something for that we do not need meetings or so. Everybody can do this on themselves. If we make this a SIG, the SIG itself would be only to propagate this opportunity (both to test/improve it, but also to use it), and to help those people who feel not sufficiently confident to do this on themselves. May it be that they are usure how to get confinement done securely/stably, or may it be that they are not sure how/what to file at the SELinux team’s repo. So this would be a very informal SIG without much “onboarding” or so.

As far as it concerns me, anyone who wants to be in can say “hello I’m in” in this topic, open topics in ask.fedora with the #confineduser tag (the first user will have to create it; should be possible by any TL1+ user in ask.fp; once a user created the tag, they should mention it here, so that I and everyone who wants can start monitoring the tag) when it comes to technical questions. Additionally, I can create a pagure repo that everyone with an FAS account can use to open tickets: may it be a ticket for issues they experience or are unsure about, or tickets if they are not sure what/how to file at the upstream repo from the SELinux team (this would be also to decrease a little their workload).

Theoretically, I do not think we need more than that (I am not sure if these things will be used much, but this can offer some confidence without much investment). I will monitor the ask.fp tag once created, and also the pagure repo to ensure no one gets lost. Everyone is free (but not obligated!) to do the same.

However, it is always good to give people some reward for contributing, so it is possible to also create a pagure group for the repo, where we can add people to have their contribution somehow mentioned. Let me know your thoughts if you want. I can create that.

1 Like