From: James Antill <jantill@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
viro@ftp.linux.org.uk, selinux@tycho.nsa.gov,
LSM List <linux-security-module@vger.kernel.org>,
James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>
Subject: Re: SELinux security and passed file descriptors
Date: Fri, 31 Aug 2007 11:39:43 -0400 [thread overview]
Message-ID: <1188574783.11631.43.camel@code.and.org> (raw)
In-Reply-To: <8927.1188570735@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 2095 bytes --]
On Fri, 2007-08-31 at 15:32 +0100, David Howells wrote:
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> > That's how mandatory access control is supposed to work; otherwise, a
> > flaw in A can leak the descriptor to B at will in violation of security
> > policy.
>
> Yeah, but by making it impossible to have the flaw, you've also made it
> impossible for A to validly pass to B a file descriptor B wouldn't otherwise
> be able to access directly, but should be able to access on behalf of A.
>
> To put it another way, how does A now legitimately pass on to B the grant of
> rights A had on that specific file descriptor?
It doesn't, that's what the _Mandatory_ part of Mandatory Access
Control is all about.
See the third paragraph from wikipedia, on MAC:
"""MAC's most important feature involves denying users full control over
the access to resources that they create. [...] """
http://en.wikipedia.org/wiki/Mandatory_access_control
> I don't think you can practically change the security attached to the file
> struct,
>
> With respect to execve(), imagine that program A (a shell, say) opens a file
> to use as a stdout for program B, which it then proceeds to exec. Imagine,
> however, the process's security label is changed during the exec of B and this
> disallows B from writing to its stdout. Is this correct behaviour since it is
> differs depending on whether SELinux is in enforcing mode or not? Or is there
> some way around this in SELinux? (I presume this is what
> flush_unauthorized_files() does).
This is correct, and often happens with respect to stdout (see
allow_daemons_use_tty etc.).
You might also be asking how you can run B in the same security context
as A, and you can do that by calling setexeccon() with the result from
getcon(). But that is very likely to affect more than just writing to
stdout.
Or you could call fsetfilecon() on stdout from A, so that it would be
in a context that B could use, but that might not be allowed (or just be
a bad idea).
--
James Antill <jantill@redhat.com>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2007-08-31 15:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-30 15:12 SELinux security and passed file descriptors David Howells
2007-08-30 15:19 ` Stephen Smalley
2007-08-31 14:32 ` David Howells
2007-08-31 15:01 ` Stephen Smalley
2007-08-31 15:39 ` Casey Schaufler
2007-08-31 15:46 ` Mikel L. Matthews
2007-08-31 15:39 ` James Antill [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1188574783.11631.43.camel@code.and.org \
--to=jantill@redhat.com \
--cc=dhowells@redhat.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.