Query MLS info outside of SELinux/LSM?

Query MLS info outside of SELinux/LSM?

[Paul Moore]

Is there a way to query the number of MLS sensitivity levels and 
categories outside of the SELinux LSM?  I haven't seen anything, but 
thought I would ask before I started looking at alternatives ... which 
brings me to my next question - would anyone have an objection to adding 
this functionality?

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Stephen Smalley]

On Fri, 2006-03-10 at 11:56 -0500, Paul Moore wrote:
> Is there a way to query the number of MLS sensitivity levels and 
> categories outside of the SELinux LSM?  I haven't seen anything, but 
> thought I would ask before I started looking at alternatives ... which 
> brings me to my next question - would anyone have an objection to adding 
> this functionality?

The goal is to keep information about the specific security models
encapsulated in the security server (security/selinux/ss/*.c).  The rest
of the SELinux code then remains policy-independent, as does the rest of
the kernel.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Paul Moore]

Stephen Smalley wrote:
> On Fri, 2006-03-10 at 11:56 -0500, Paul Moore wrote:
> 
>>Is there a way to query the number of MLS sensitivity levels and 
>>categories outside of the SELinux LSM?  I haven't seen anything, but 
>>thought I would ask before I started looking at alternatives ... which 
>>brings me to my next question - would anyone have an objection to adding 
>>this functionality?
> 
> The goal is to keep information about the specific security models
> encapsulated in the security server (security/selinux/ss/*.c).  The rest
> of the SELinux code then remains policy-independent, as does the rest of
> the kernel.
> 

The only concern I have with the above statement is that in some cases, 
i.e. labeled networking, some of that security model information such as 
MLS limits is important outside the security server.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Stephen Smalley]

On Fri, 2006-03-10 at 12:22 -0500, Paul Moore wrote:
> Stephen Smalley wrote:
> > On Fri, 2006-03-10 at 11:56 -0500, Paul Moore wrote:
> > 
> >>Is there a way to query the number of MLS sensitivity levels and 
> >>categories outside of the SELinux LSM?  I haven't seen anything, but 
> >>thought I would ask before I started looking at alternatives ... which 
> >>brings me to my next question - would anyone have an objection to adding 
> >>this functionality?
> > 
> > The goal is to keep information about the specific security models
> > encapsulated in the security server (security/selinux/ss/*.c).  The rest
> > of the SELinux code then remains policy-independent, as does the rest of
> > the kernel.
> > 
> 
> The only concern I have with the above statement is that in some cases, 
> i.e. labeled networking, some of that security model information such as 
> MLS limits is important outside the security server.

I think you want to generalize that kind of logic for arbitrary security
labels, not just MLS, and hide it behind an abstract interface provided
by the security server.  Particularly since we want labeled networking
to support the full security context ultimately.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Paul Moore]

Stephen Smalley wrote:
> On Fri, 2006-03-10 at 12:22 -0500, Paul Moore wrote:
> 
>>Stephen Smalley wrote:
>>
>>>On Fri, 2006-03-10 at 11:56 -0500, Paul Moore wrote:
>>>
>>>
>>>>Is there a way to query the number of MLS sensitivity levels and 
>>>>categories outside of the SELinux LSM?  I haven't seen anything, but 
>>>>thought I would ask before I started looking at alternatives ... which 
>>>>brings me to my next question - would anyone have an objection to adding 
>>>>this functionality?
>>>
>>>The goal is to keep information about the specific security models
>>>encapsulated in the security server (security/selinux/ss/*.c).  The rest
>>>of the SELinux code then remains policy-independent, as does the rest of
>>>the kernel.
>>>
>>
>>The only concern I have with the above statement is that in some cases, 
>>i.e. labeled networking, some of that security model information such as 
>>MLS limits is important outside the security server.
> 
> I think you want to generalize that kind of logic for arbitrary security
> labels, not just MLS, and hide it behind an abstract interface provided
> by the security server.  Particularly since we want labeled networking
> to support the full security context ultimately.
> 

Agreed.  Although for most cases in SELinux there are no practical upper 
bounds so such logic (that I am thinking of anyway) doesn't make sense. 
    I was just looking for something to tell me the number of MLS levels 
and categories in the current instantiated policy so I could do some 
optimizations in the CIPSO/NetLabel code.

It's not a big deal, there is always another solution.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Stephen Smalley]

On Fri, 2006-03-10 at 12:38 -0500, Paul Moore wrote:
> Agreed.  Although for most cases in SELinux there are no practical upper 
> bounds so such logic (that I am thinking of anyway) doesn't make sense. 
>     I was just looking for something to tell me the number of MLS levels 
> and categories in the current instantiated policy so I could do some 
> optimizations in the CIPSO/NetLabel code.
> 
> It's not a big deal, there is always another solution.

For experimental patches, you are certainly welcome to add an interface
to the security server to expose such information, and export it to the
rest of the kernel (see some of the recent audit-related patches and
James' skfilter patches for other examples where security server
interfaces are being exported to other kernel subsystems).  We just
don't want the MLS limitation to be the ultimate solution upstream.
 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Joe Nall]

> On Fri, 2006-03-10 at 12:38 -0500, Paul Moore wrote:
>> Agreed.  Although for most cases in SELinux there are no practical  
>> upper
>> bounds so such logic (that I am thinking of anyway) doesn't make  
>> sense.
>>     I was just looking for something to tell me the number of MLS  
>> levels
>> and categories in the current instantiated policy so I could do some
>> optimizations in the CIPSO/NetLabel code.

If there is a naming convention for system high you can ask for a  
translation of SystemHigh and look the the level and categories  
returned. Use of CIPSO could be dependent on certain names or aliases  
being available in setrans.conf.

joe

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Stephen Smalley]

On Fri, 2006-03-10 at 13:03 -0600, Joe Nall wrote:
> If there is a naming convention for system high you can ask for a  
> translation of SystemHigh and look the the level and categories  
> returned. Use of CIPSO could be dependent on certain names or aliases  
> being available in setrans.conf.

I think he means his NetLabel kernel component, not a userspace
component, so he isn't dealing with translations at all there.  Just the
raw kernel representation.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Query MLS info outside of SELinux/LSM?

[Paul Moore]

Stephen Smalley wrote:
> On Fri, 2006-03-10 at 13:03 -0600, Joe Nall wrote:
> 
>>If there is a naming convention for system high you can ask for a  
>>translation of SystemHigh and look the the level and categories  
>>returned. Use of CIPSO could be dependent on certain names or aliases  
>>being available in setrans.conf.
> 
> I think he means his NetLabel kernel component, not a userspace
> component, so he isn't dealing with translations at all there.  Just the
> raw kernel representation.
> 

Yep, Stephen is correct.  It's academic at this point anyway as I've 
worked around it.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.