[refpolicy] mls_systemlow is within mls_systemhigh?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] mls_systemlow is within mls_systemhigh?
Date: Mon, 14 Feb 2011 08:26:35 -0500	[thread overview]
Message-ID: <1297689995.29692.7.camel@moss-pluto> (raw)
In-Reply-To: <SNT139-w2553CEF808ED82DAC0771BABEE0@phx.gbl>

On Sat, 2011-02-12 at 09:25 +0000, HarryCiao wrote:
> Hi all,
> 
> I seems to run into a weird problem, that a staff user(t2 in below
> example) that could only assume mls_systemhigh could log in system
> successfully with some other lower security level such as
> mls_systemlow !
> 
> Shouldn't such login be denied?
> 
> The openssh source code calls libselinux API of security_compute_av()
> to check if the source context of staff_u:staff_r:staff_t:s0 is ever
> contained in that of staff_u:staff_r:staff_t:s15:c0.c1023, which could
> be reproduced by the compute_av command:
> 
> [root/sysadm_r/s0 at QtCao ~]# compute_av
> staff_u:staff_r:staff_t:s15:c0.c1023 staff_u:staff_r:staff_t:s0
> context 
> allowed= { contains }
> [root/sysadm_r/s0 at QtCao ~]# 
> 
> How come this ever happen?  Is there a selinuxfs kernel driver bug
> for /selinux/access file?
> 
> Any comment is greatly welcomed. The detailed logs are below.

Looks like policy is configured that way.  policy/mls has this rule:
mlsconstrain context contains
        ( h1 dom h2 );

So as long as the source context high level dominates the target context
high level, the constraint will evaluate to true and the permission will
be allowed.  If you want to enforce a minimal level for a user, you'd
have to rewrite that constraint, e.g.
mlsconstrain context contains 
	( ( h1 dom h2 ) and (l1 domby l2) );


-- 
Stephen Smalley
National Security Agency

next prev parent reply	other threads:[~2011-02-14 13:26 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-12  9:25 [refpolicy] mls_systemlow is within mls_systemhigh? HarryCiao
2011-02-14 13:26 ` Stephen Smalley [this message]
2011-02-15  2:11   ` HarryCiao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1297689995.29692.7.camel@moss-pluto \
    --to=sds@tycho.nsa.gov \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.