From: Stephen Smalley <sds@tycho.nsa.gov>
To: HarryCiao <harrytaurus2002@hotmail.com>
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>,
selinux-mailing-list <selinux@tycho.nsa.gov>,
refpolicy@oss1.tresys.com
Subject: Re: Further questions about configuring contexts differently for variant classes
Date: Fri, 04 Mar 2011 09:04:58 -0500 [thread overview]
Message-ID: <1299247498.22127.8.camel@moss-pluto> (raw)
In-Reply-To: <SNT139-w62C8D0A475883C71AD50F9ABC20@phx.gbl>
On Fri, 2011-03-04 at 10:38 +0000, HarryCiao wrote:
> Hi Stephen and Chris,
>
> I would like to dig deeper on this topic and I have started thinking
> below questions as a starting point, it definitively would help me to
> get warmed up quickly if you could help pointing me at the background
> story :-)
>
> [cut]
> > > ... Maybe we can come up with some generalized
> > > solution that will be more flexible going forward for configuring
> how
> > > different parts of the context are assigned for different classes.
> We
> > > have talked previously about using the role field even for files
> rather
> > > than just making them all object_r.
> >
>
> 1. Would it work simply to make the newly created objects have the
> role of "scontext->role" than "object_r" in security_compute_sid?
No, that would break existing policies. We need a way to allow existing
systems to still use object_r while allowing future policies to leverage
new support for using the role field in object security contexts. I
sketched one possible approach in the earlier thread that Chris
referenced, i.e. inherit from tcontext->role (parent directory) and add
role transition support on object classes. Then on existing systems
where directories are labeled object_r, everything will still work as
before, but with new policies, we can set up role transitions on the
file classes to use the subject role where that is desired.
> 2. If files' role is not "object_r" anymore, what changes in refpolicy
> and SELinux kernel space would have to be done accordingly?
In the kernel, we check for OBJECT_R_VAL and exempt security contexts
with that role from the validation checks on user-role, role-type, and
user-range. So using subject roles on objects will enable that checking
and require that the policy explicitly authorize those pairings.
> ! 3. Where can I find our previously talks on such topic?
Looks like Chris did a good job of hunting down the prior discussions.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Further questions about configuring contexts differently for variant classes
Date: Fri, 04 Mar 2011 09:04:58 -0500 [thread overview]
Message-ID: <1299247498.22127.8.camel@moss-pluto> (raw)
In-Reply-To: <SNT139-w62C8D0A475883C71AD50F9ABC20@phx.gbl>
On Fri, 2011-03-04 at 10:38 +0000, HarryCiao wrote:
> Hi Stephen and Chris,
>
> I would like to dig deeper on this topic and I have started thinking
> below questions as a starting point, it definitively would help me to
> get warmed up quickly if you could help pointing me at the background
> story :-)
>
> [cut]
> > > ... Maybe we can come up with some generalized
> > > solution that will be more flexible going forward for configuring
> how
> > > different parts of the context are assigned for different classes.
> We
> > > have talked previously about using the role field even for files
> rather
> > > than just making them all object_r.
> >
>
> 1. Would it work simply to make the newly created objects have the
> role of "scontext->role" than "object_r" in security_compute_sid?
No, that would break existing policies. We need a way to allow existing
systems to still use object_r while allowing future policies to leverage
new support for using the role field in object security contexts. I
sketched one possible approach in the earlier thread that Chris
referenced, i.e. inherit from tcontext->role (parent directory) and add
role transition support on object classes. Then on existing systems
where directories are labeled object_r, everything will still work as
before, but with new policies, we can set up role transitions on the
file classes to use the subject role where that is desired.
> 2. If files' role is not "object_r" anymore, what changes in refpolicy
> and SELinux kernel space would have to be done accordingly?
In the kernel, we check for OBJECT_R_VAL and exempt security contexts
with that role from the validation checks on user-role, role-type, and
user-range. So using subject roles on objects will enable that checking
and require that the policy explicitly authorize those pairings.
> ! 3. Where can I find our previously talks on such topic?
Looks like Chris did a good job of hunting down the prior discussions.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-03-04 14:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-24 10:44 Separate type for AF_UNIX socket created by syslogd_t HarryCiao
2011-02-24 10:44 ` [refpolicy] " HarryCiao
2011-02-24 13:35 ` Stephen Smalley
2011-02-24 13:35 ` [refpolicy] " Stephen Smalley
2011-02-24 15:52 ` Christopher J. PeBenito
2011-02-24 15:52 ` [refpolicy] " Christopher J. PeBenito
2011-02-26 3:29 ` HarryCiao
2011-02-26 3:29 ` [refpolicy] " HarryCiao
2011-03-04 10:38 ` Further questions about configuring contexts differently for variant classes HarryCiao
2011-03-04 10:38 ` [refpolicy] " HarryCiao
2011-03-04 10:57 ` Russell Coker
2011-03-04 13:46 ` Christopher J. PeBenito
2011-03-04 13:46 ` [refpolicy] " Christopher J. PeBenito
2011-03-04 14:04 ` Stephen Smalley [this message]
2011-03-04 14:04 ` Stephen Smalley
2011-02-24 18:18 ` Separate type for AF_UNIX socket created by syslogd_t Stephen Smalley
2011-02-24 18:18 ` [refpolicy] " Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1299247498.22127.8.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=cpebenito@tresys.com \
--cc=harrytaurus2002@hotmail.com \
--cc=refpolicy@oss1.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.