Skip to content

feat(selinux): Remove multiple permissions from trivalent_domain, reducing attack surface#2015

Merged
HastD merged 6 commits intosecureblue:livefrom
PhysicsIsAwesome:trivalent-selinux
Mar 10, 2026
Merged

feat(selinux): Remove multiple permissions from trivalent_domain, reducing attack surface#2015
HastD merged 6 commits intosecureblue:livefrom
PhysicsIsAwesome:trivalent-selinux

Conversation

@PhysicsIsAwesome
Copy link
Copy Markdown
Contributor

@PhysicsIsAwesome PhysicsIsAwesome commented Mar 6, 2026

Remove multiple permissions from trivalent_domain, including:

  • All non-user namespace capabilities
  • Some user namespace capabilities
  • Unused transition permissions

@PhysicsIsAwesome
feat(selinux): Remove dyntransition
31ade33 
`dyntransition` does not seem to be needed by trivalent:
- chromium does not make use of `setcon` at the moment
- it would probably need `setcurrent` first
- if it actually needed dyntransition, it should use `dyntrans_pattern`
@PhysicsIsAwesome
feat(selinux): Remove all non-userns capabilities
73ace8c 
By-default trivalent makes use of chromium's user namespaces sandbox instead of using the older SUID sandbox, thus capabilities outside of user namespaces are not be needed and should be removed
@PhysicsIsAwesome
feat(selinux): Remove net_admin and setpcap userns caps
3b566d9 
Remove net_admin and setpcap userns caps. They are not present in the refpolicy. Some shallow tests to run trivalent without them did not show any negative consequences nor show up in logs.
@PhysicsIsAwesome
feat(selinux): Remove self transition permission
a8376e7
@PhysicsIsAwesome PhysicsIsAwesome changed the title Remove multiple permissions from trivalent_domain, reducing attack surface feat(selinux): Remove multiple permissions from trivalent_domain, reducing attack surface Mar 6, 2026
RoyalOughtness
RoyalOughtness reviewed Mar 8, 2026
View reviewed changes
@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Mar 8, 2026

@PhysicsIsAwesome can you document what tests you ran on this?

@PhysicsIsAwesome
Copy link
Copy Markdown
Contributor Author

PhysicsIsAwesome commented Mar 8, 2026

@PhysicsIsAwesome can you document what tests you ran on this?

Ran Trivalent, visited a few websites, ran keepassxc extension and tested connection to the keepassxc app. Checked logs for Selinux denials.

Although I don't see a theoretical need for the permissions I removed, some additional testing from other users might still be helpful, just to be sure to not oversee some edge case.

WavyEbuilder
WavyEbuilder reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@WavyEbuilder WavyEbuilder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can indeed speak positively on removing transition and dyntransition, that seems expected and reasonable to me and is in life with what I have policy wise.

@HastD HastD enabled auto-merge (squash) March 10, 2026 01:17
@HastD HastD merged commit b413a09 into secureblue:live Mar 10, 2026
16 checks passed
@HastD HastD removed the Pending CI label Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WavyEbuilder WavyEbuilder WavyEbuilder left review comments

@HastD HastD HastD approved these changes

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PhysicsIsAwesome @RoyalOughtness @HastD @WavyEbuilder