Re: [Fwd: type class key] - Casey Schaufler

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Stephen Smalley <sds@tycho.nsa.gov>, David Howells <dhowells@redhat.com>
Cc: Stefan Schulze Frielinghaus <stefan@seekline.net>, selinux@tycho.nsa.gov
Subject: Re: [Fwd: type class key]
Date: Fri, 9 Nov 2007 12:35:33 -0800 (PST)	[thread overview]
Message-ID: <280071.88616.qm@web36606.mail.mud.yahoo.com> (raw)
In-Reply-To: <1194638426.624.91.camel@moss-spartans.epoch.ncsc.mil>


--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Fri, 2007-11-09 at 14:51 -0500, Stephen Smalley wrote:
> > On Fri, 2007-11-09 at 19:48 +0000, David Howells wrote:
> > > Okay, it looks like it's probably the problem I'm thinking of.  If it is,
> I
> > > need to think carefully about how to deal with it.
> > > 
> > > Stephen: Would it be possible for me to create the per-UID keyring
> without
> > > reference to the security label of the current process?
> > > 
> > > The other alternative is to accept that if the label can't be linked
> because
> > > of a security label disagreement than that's that, and we don't give an
> error.
> > > 
> > > I don't like that second option, though, because that can seriously limit
> the
> > > utility of the per-UID keyring by it being a lottery as to what label it
> gets
> > > created with - basically who gets to try creating it first.
> > > 
> > > Any suggestions?
> > 
> > (taking discussion back on list)
> > 
> > We already provide a way to create a key with a specified label other
> > than the current process, via setkeycreatecon(3) aka writing the label
> > to /proc/self/attr/keycreate before allocating the key.
> > 
> > So why can't the userland code that is allocating these per-uid keyrings
> > use that interface to set the context appropriately for the actual user
> > rather than defaulting to its own context?
> 
> Ah, wait - this is an automatic allocation of a per-uid keyring upon a
> setuid() call, right?
> 
> So here we have a kernel-internal allocation of the keyring (so userland
> doesn't know it needs to setkeycreatecon, and requiring it to do so
> seems a bit clunky), yet on the other hand, we don't presently have a
> way to map a Linux uid automatically to a SELinux security context in
> the kernel - that's managed in userspace, and a single Linux uid might
> ultimately have a number of SELinux security contexts running on its
> behalf.

This is going to be a problem with any MAC scheme, or at least
any that allows a uid to use more than one label. There is a
faction that will shout "Polyinstantiation!" at this point,
advocating that there be a key for each uid/label pair. I can't
claim to understand how the keyring is used well enough to
say if this is a good idea or a bad one.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2007-11-09 20:36 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1194628263.3630.14.camel@vogon>
     [not found] ` <1194554589.3198.24.camel@moss-spartans.epoch.ncsc.mil>
     [not found]   ` <24708.1194612682@redhat.com>
     [not found]     ` <22421.1194637689@redhat.com>
2007-11-09 19:51       ` [Fwd: type class key] Stephen Smalley
2007-11-09 20:00         ` Stephen Smalley
2007-11-09 20:35           ` Casey Schaufler [this message]
2007-11-10 12:26           ` David Howells
2007-11-14 20:23             ` Daniel J Walsh
2007-11-15 12:17               ` David Howells
2007-11-15 13:33                 ` Daniel J Walsh
2007-11-15 13:57                 ` Stephen Smalley
2007-11-15 14:41                   ` David Howells
2007-11-15 14:52                     ` Stephen Smalley
2007-11-15 14:53               ` David Howells
2007-11-15 14:56                 ` Stephen Smalley
2007-11-15 14:58                 ` David Howells
2007-11-15 15:02                   ` Stephen Smalley
2007-11-15 16:04                     ` David Howells
2007-11-15 17:34                       ` David Howells
2007-11-15 18:26                         ` Stephen Smalley
2007-11-15 19:04                           ` David Howells
2007-11-16 19:53                         ` Casey Schaufler
2007-11-15 20:40                   ` James Morris
2007-11-15 13:08           ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=280071.88616.qm@web36606.mail.mud.yahoo.com \
    --to=casey@schaufler-ca.com \
    --cc=dhowells@redhat.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=stefan@seekline.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.