Re: link between roles and domains

[Guillaume PETITJEAN <guillaume.petitjean@st.com>]

Thank you for your answer.

It's basically what I understood and I'm still missing something : in 
the example policy (may be it is not representative of a real system ?) 
there are very few role transitions. And domain transition rules don't 
take into account the role. Then it seems to me that once a process has 
been associated the first time to a domain (the domain of the first 
security context in the default_contexts list) its role isn't used 
anymore since only domain transitions occur. Or do roles only aim to 
define the first domain of a process ?
Where is my mistake ?

Cheers,
Guillaume

Stephen Smalley wrote:

>On Mon, 2005-11-21 at 09:22 +0100, Guillaume PETITJEAN wrote:
>  
>
>>Hello,
>>
>>I'm new to SELinux.
>>
>>I have a question regarding the management of users and roles.
>>
>>I understood that a user is associated with a role (or several roles) 
>>and that each role is allowed to enter a set of domain. I understood  
>>how access control permissions are defined on couple of domains and the 
>>process of domain transitions. But I didn't understand which domain 
>>(among the set of domains allowed for a role) is selected at any time.
>>
>>In other terms let's say you have a process foo belonging to the role 
>>user_r and suppose user_r is allowed for (domain1_t, domain2_t, 
>>domain3_t), how does the policy decides to which domain will belong the 
>>process in practice in order to compute security decisions ?
>>    
>>
>
>The security context of a user process is set up by some "entrypoint"
>program, like login or sshd, by querying libselinux for an ordered list
>of reachable security contexts from the entrypoint process for the user.
>libselinux consults the kernel security server via selinuxfs as well as
>a default_contexts configuration to generate and order this list.  The
>kernel security server computes reachability based on process transition
>permission from the context of the entrypoint process to contexts for
>the user.
>
>Once the security context has been initially set for the user process,
>any subsequent domain transitions are governed by the policy based on
>the usual (file:execute, process:transition, file:entrypoint) triple.
>Any accesses by a process are governed by the domain stored in its
>security context.  A process may only have a single domain in its
>security context at any given time.
>
>  
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.