From: Stephen Smalley <sds@tycho.nsa.gov>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SELinux <selinux@tycho.nsa.gov>, Eric Paris <eparis@parisplace.org>
Subject: Re: Suggestion on fixing a old libselinux problem.
Date: Fri, 02 Mar 2012 12:46:01 -0500 [thread overview]
Message-ID: <1330710361.2616.52.camel@moss-pluto> (raw)
In-Reply-To: <4F4F8AE8.5080703@redhat.com>
On Thu, 2012-03-01 at 09:42 -0500, Daniel J Walsh wrote:
> On 02/29/2012 04:34 PM, Stephen Smalley wrote:
> > I don't think we want to introduce greater complexity and more
> > possible failures causes into the mix for determining user
> > contexts. Simplest option would be to change
> > get_ordered_context_list() to return the empty list / fail in that
> > case rather than return the full reachable list from
> > security_compute_user. But I'd like to get rid of / replace
> > security_compute_user with a solution that is mostly userspace, at
> > most getting the user's authorized roles and default level
> > information from selinuxfs but not asking the kernel to compute
> > reachability.
> >
>
>
> Meaning we should read the contents of
> /etc/selinux/TYPE/contexts/users/SELINUXUSER and get the types from
> there that match the type of the login program.
> If that file does not exist, then fall back to
> /etc/selinux/TYPE/contexts/default_context and get the type from there.
>
> Then just check with the kernel if LOGINTYPE_T can transition to
> USERTYPE_T and choose that context. Else go to the next context. If
> no context is available to transition return failure.
You can use security_check_context() to see if the context is valid
(e.g. valid user:role pair) before performing a transition check.
You'll have to decide how you want it to operate in permissive mode; the
current security_compute_user() logic ignores permissive mode (via
AVC_STRICT) and thus will return the same contexts you would get in
enforcing mode. Otherwise permissive mode may lead to users logging in
as sysadm_r rather than user_r if authorized for both.
There is also the MLS aspect, which is more complex. See
mls_setup_user_range() in the kernel.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-03-02 17:46 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-29 20:47 Suggestion on fixing a old libselinux problem Daniel J Walsh
2012-02-29 21:22 ` Stephen Smalley
2012-02-29 21:34 ` Stephen Smalley
2012-03-01 14:42 ` Daniel J Walsh
2012-03-02 17:46 ` Stephen Smalley [this message]
2012-03-02 21:14 ` Stephen Smalley
2012-03-01 18:35 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1330710361.2616.52.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.