From: Paul Moore <paul.moore@hp.com>
To: Joshua Brindle <method@manicmethod.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
tmiller@tresys.com, selinux@tycho.nsa.gov
Subject: Re: PATCH: peersid capability support
Date: Fri, 30 Nov 2007 11:19:51 -0500 [thread overview]
Message-ID: <200711301119.51954.paul.moore@hp.com> (raw)
In-Reply-To: <47503412.20007@manicmethod.com>
On Friday 30 November 2007 11:02:26 am Joshua Brindle wrote:
> Paul Moore wrote:
> > On Friday 30 November 2007 10:31:57 am Joshua Brindle wrote:
> >> Equivalence between every module? I don't see how this would possibly
> >> work in practice, how would audit2allow know what caps to include when
> >> it creates a new module? How would support for new caps come from a
> >> policy upgrade when there are local modules present that don't have
> >> them?
> >
> > I know this is more work both in the code as well as for policy writers,
> > but how about two policy bitmaps for each module: one bitmap (call this
> > bitmap A) indicates the capabilities that the module is knows about (i.e.
> > the policy capabilities that were defined when the module was written)
> > and one bitmap (call this bitmap B) to signal which capabilities should
> > be toggled on? This way when you load/link/install a series of policy
> > modules you can check to make sure that the union of all the B bitmaps is
> > a subset of the intersection of all the A bitmaps. If this is not the
> > case you can print an error and refuse to load the module, or load it
> > with the offending capability turned off.
>
> I think this is way too complicated from a user point of view.
I won't argue that it isn't more complicated than the other options presented
so far ...
> I don't want users to 1) have to know capabilities that have nothing to do
> with their module
It's probably worth trying to better define "user" in this case. Are you
talking about the policy writer who is creating the module or the sysadmin
trying to load the module?
> 2) disable all caps by not including any in a module and potentially
> hose their system.
Wait a minute here, you'll have to explain this for me because I don't see how
you jumped to that conclusion, I never said to disable all capabilities.
Here is my thinking ...
1. System has policy installed and is working, or "not hosed"
2. Sysadmin tries to load new policy module which introduces a new capability
which is not known/understood by all of the currently loaded modules, we can
either:
2a. Fail to load the module and have the sysadmin report the problem, system
continues without new policy, still "not hosed"
2b. Allow a forced load of the new module with the new capability disabled,
the new module may not work correctly but hey we warned you ...
potential "hosing" but should be easily repaired on the fly by removing the
module
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-11-30 16:19 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-29 19:27 PATCH: peersid capability support tmiller
2007-11-29 21:24 ` Stephen Smalley
2007-11-29 23:24 ` Joshua Brindle
2007-11-30 13:34 ` Stephen Smalley
2007-11-30 14:38 ` Joshua Brindle
2007-11-30 14:48 ` Stephen Smalley
2007-11-30 14:53 ` Stephen Smalley
2007-11-30 15:31 ` Joshua Brindle
2007-11-30 15:44 ` Paul Moore
2007-11-30 16:02 ` Joshua Brindle
2007-11-30 16:19 ` Paul Moore [this message]
2007-11-30 16:12 ` Stephen Smalley
2007-11-30 16:41 ` Stephen Smalley
2007-11-30 14:29 ` Paul Moore
2007-11-30 14:43 ` Joshua Brindle
2007-11-30 14:47 ` Paul Moore
2007-11-30 16:30 ` Paul Moore
2007-11-30 16:59 ` Todd Miller
2007-11-30 17:08 ` Stephen Smalley
2007-11-30 18:19 ` Paul Moore
2007-12-03 15:53 ` Christopher J. PeBenito
2008-01-03 15:15 ` Václav Ovsík
2008-01-03 15:25 ` Todd Miller
-- strict thread matches above, loose matches on Subject: below --
2007-11-30 17:34 Todd C. Miller
2007-11-30 19:06 ` Paul Moore
2007-11-30 22:48 ` Paul Moore
2007-12-01 0:19 ` Joshua Brindle
2007-12-03 17:32 ` Paul Moore
2007-12-03 18:21 ` Stephen Smalley
2007-12-03 19:41 Todd C. Miller
2007-12-04 19:26 ` Paul Moore
2007-12-04 20:18 ` Stephen Smalley
2007-12-05 18:58 ` Stephen Smalley
2007-12-05 19:00 ` Todd Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711301119.51954.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=method@manicmethod.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=tmiller@tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.