From: Paul Moore <paul@paul-moore.com>
To: Andy Lutomirski <luto@amacapital.net>,
Stephen Smalley <sds@tycho.nsa.gov>
Cc: SELinux-NSA <selinux@tycho.nsa.gov>
Subject: Re: [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID.
Date: Tue, 12 Aug 2014 15:08:14 -0400 [thread overview]
Message-ID: <1781230.AAtiyApM3R@sifl> (raw)
In-Reply-To: <CALCETrV=MbtkRR8qk-Eu++pn3z3gZ9sEp2RUZXyhKj_-kzOEpw@mail.gmail.com>
On Tuesday, August 12, 2014 11:56:42 AM Andy Lutomirski wrote:
> On Aug 12, 2014 11:07 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
> > On 08/12/2014 02:01 PM, Andy Lutomirski wrote:
> > > On Mon, Aug 4, 2014 at 10:36 AM, Stephen Smalley wrote:
> > >> If the callee SID is bounded by the caller SID, then allowing
> > >> the transition to occur poses no risk of privilege escalation and we
> > >> can therefore safely allow the transition to occur. Add this exemption
> > >> for both the case where a transition was explicitly requested by the
> > >> application and the case where an automatic transition is defined in
> > >> policy.
> > >
> > > This still wants something like security_bounded_transition_noaudit,
> > > right? (Or just a parameter about whether to audit -- there will only
> > > be two callers, I think.)
> >
> > I think generating an audit record is correct in this case; the
> > operation would have succeeded if the type were bounded, so it is
> > correct and helpful to report this to the audit log for diagnosing
> > failures. I think Paul's prior objection was that you could end up with
> > an audit record even when the operation succeeded when we allowed the
> > transitions on either a bounded transition or dyntransition permission,
> > but that is no longer the case.
>
> Fair enough.
Yes, the audit problem is no longer an issue and the comments look good to me.
> Does this have any chance of making 3.17?
No. That ship has sailed.
However, I would still like to see some more Reviewed-by/Tested-by mails
before we merge this for 3.18. Andy, based on discussion on this thread and
previous threads, I assume you're happy with this patch?
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2014-08-12 19:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-04 17:36 [PATCH v2] selinux: Permit bounded transitions under NO_NEW_PRIVS or NOSUID Stephen Smalley
2014-08-12 18:01 ` Andy Lutomirski
2014-08-12 18:06 ` Stephen Smalley
2014-08-12 18:56 ` Andy Lutomirski
2014-08-12 19:08 ` Paul Moore [this message]
2014-08-12 19:12 ` Andy Lutomirski
2014-08-12 19:21 ` Stephen Smalley
2014-08-12 19:29 ` Andy Lutomirski
2014-08-28 21:36 ` Paul Moore
2014-08-29 13:12 ` Stephen Smalley
2014-08-29 18:20 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1781230.AAtiyApM3R@sifl \
--to=paul@paul-moore.com \
--cc=luto@amacapital.net \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.