Re: [patch 2/2] Peersid capability support

[Paul Moore <paul.moore@hp.com>]

On Wednesday 07 November 2007 4:23:23 pm Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2007-11-07 at 15:50 -0500, Joshua Brindle wrote:
> >> plain text document attachment (peersid_cap.patch)
> >> Peersid capability support, keys the peersid capability on the peer
> >> object class.
> >
> > I'm uneasy about this approach, as it is similar to what we originally
> > tried for secmark - tying the compat_net setting to the presence of the
> > packet class in the policy, except there we were doing it at policy load
> > time.  As it turned out, we had policies that defined the packet class
> > well before we had usable rule sets for them, and even if we had covered
> > that angle, presence/absence of a class definition doesn't reflect
> > policy writer intent (e.g. does he want legacy network controls or
> > secmark irrespective of whether he is using a modern policy), so we went
> > back to manual setting of compat_net.
> >
> > What if the base.conf / policy.conf itself had an explicit declaration
> > of the capabilities to be enabled?  We can certainly do sanity checks
> > too (e.g. if they ask for this capability but haven't defined the
> > requisite class, that's a bug in their policy), but that would let
> > someone use the latest policy flask definitions but still select what
> > they want to enable/disable explicitly, and no unwitting enabling of
> > capabilities by side effect.
>
> I just implemented the last thing I saw in the capability bitmap thread,
> and what Paul had thought the behavior was going to be.
>
> I'm not expecting every capability to be keyed off an object class so I
> wasn't sure how to best enable them in a general way anyway.

Josh and I talked about this a little offline before he posted the patch and 
while we agreed this wasn't the best solution we were at a loss of how to do 
it the "right way".  Actually, I'm not even sure what the "right way" is ...

I like the idea of requiring the policy to explicitly turn on/off 
capabilities.  Further, I like the idea of the policy defining what 
capabilities are available and within those constraints allowing specific 
capabilities to be selected at policy load time.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.