type transition

type transition

[Giorgio Zanin]

what's the difference between the following statements:

type_transition TYPE_A TYPE_B:process TYPE_C

and

allow TYPE_A TYPE_C:process transition
?

If I am  not wrong the first statement forces a new process, created by
TYPE_A, to belong to TYPE_C, i.e. everytime TYPE_A creates a process
(with respect to TYPE_B) this process is made member of TYPE_C.
The second statement allows TYPE_A to change to TYPE_C.
Does both occur upon an execve()? If so, what's the difference between
them? It seems the first requires a call to fork(), while the second
does not; probably I am wrong but it's the only difference I can argue.
Can anyone explain how these type transitions occur (possibly everything
about type transitions in SELinux....)?

Thanks
Giorgio



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: type transition

[Wayne Salamon]

On Mon, 4 Nov 2002, Giorgio Zanin wrote:

> what's the difference between the following statements:
>
> type_transition TYPE_A TYPE_B:process TYPE_C
>

  This rule states how a process transitions. If a process is currently in
domain TYPE_A, and execs a file of type TYPE_B, then the process will
transition to domain TYPE_C. However, the policy must allow this
transition, hence:


>
> allow TYPE_A TYPE_C:process transition

  This rule states that a process in domain TYPE_A is allowed to
transition to domain TYPE_C.
  You should look at the SELinux Policy doc for more information, at
http://www.nsa.gov/selinux/policy2-abs.html
  You can also refer to the original SELinux report:
http://www.nsa.gov/selinux/slinux-abs.html.


 --
Wayne Salamon
wsalamon@tislabs.com



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: type transition

[Stephen D. Smalley]

> From: Giorgio Zanin <giorgio.zanin@inwind.it>
> 
> what's the difference between the following statements:
> 
> type_transition TYPE_A TYPE_B:process TYPE_C
> 
> and
> 
> allow TYPE_A TYPE_C:process transition
> ?
> 
> If I am  not wrong the first statement forces a new process, created by
> TYPE_A, to belong to TYPE_C, i.e. everytime TYPE_A creates a process
> (with respect to TYPE_B) this process is made member of TYPE_C.
> The second statement allows TYPE_A to change to TYPE_C.
> Does both occur upon an execve()? If so, what's the difference between
> them? It seems the first requires a call to fork(), while the second
> does not; probably I am wrong but it's the only difference I can argue.
> Can anyone explain how these type transitions occur (possibly everything
> about type transitions in SELinux....)?

This is explained in the technical reports available from the NSA site.
To summarize, a type_transition rule specifies a default labeling behavior to 
provide transparency to unmodified applications, but is not mandatory; it can be 
overridden via the extended system calls if authorized by the policy.  The allow 
rules define what is permitted.  A single type_transition may require a number 
of allow rules to authorize it, e.g. look at what allow rules are contained by  
a single domain_trans() macro.  Automatically generating the set of allow rules 
from a type_transition rule isn't really feasible in general without being more 
permissive than you want in every case.

--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.