From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov,
Thomas Bleher <bleher@informatik.uni-muenchen.de>,
SELinux-dev@tresys.com, James Morris <jmorris@redhat.com>
Subject: Re: [RFC][PATCH] selinux: introduce support for deferred mapping of inode security contexts
Date: Fri, 19 May 2006 09:59:09 -0400 [thread overview]
Message-ID: <446DCF2D.9020902@redhat.com> (raw)
In-Reply-To: <1148046296.25168.89.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Mon, 2006-05-15 at 12:35 -0400, Stephen Smalley wrote:
>
>> With this patch applied, the following sequence is possible, subject to
>> policy, which must allow <domain> security_t:security labelpriv; and
>> allow unlabeled_t fs_t:filesystem associate; in order for this to work
>> in enforcing mode. Note that unconfined_t implicitly picks up all
>> security permissions at present due to the use of a wildcard for the
>> permission set in its rule. However, you still need the second allow
>> rule as well in order for this to succeed in enforcing mode.
>>
>> # touch foo
>> # chcon -t foo_exec_t foo
>> # ls -Z foo
>> -rw-r--r-- root root system_u:object_r:unlabeled_t foo
>> # semodule -i foo.pp # defines foo_exec_t
>> # ls -Z foo
>> -rw-r--r-- root root user_u:object_r:foo_exec_t foo
>> # semodule -r foo
>> # ls -Z foo
>> -rw-r--r-- root root system_u:object_r:unlabeled_t foo
>> # semodule -i foo.pp
>> # ls -Z foo
>> -rw-r--r-- root root user_u:object_r:foo_exec_t foo
>>
>
> Eric Paris pointed out that the above behavior violates the principle of
> least surprise for users (chcon appears to succeed but leaves the file
> with unlabeled_t). So to clarify: The intent would be to exclude
> labelpriv permission from even unconfined_t and to only allow it to
> specific program domains (initially only package manager domains) where
> the program expects such behavior and performs some verification
> separately once the file context is expected to be valid. Of course,
> this requires that rpm_t not be an alias of unconfined_t, which is true
> in FC5 (but not in FC4).
>
>
We already have this problem in targeted with aliases.
Try
# ls -lZ /lib/libselinux.so.1
-rwxr-xr-x root root system_u:object_r:lib_t /lib/libselinux.so.1
# chcon -t shlib_t /lib/libselinux.so.1
# ls -lZ /lib/libselinux.so.1
-rwxr-xr-x root root system_u:object_r:lib_t /lib/libselinux.so.1
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-05-19 13:59 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-15 16:35 [RFC][PATCH] selinux: introduce support for deferred mapping of inode security contexts Stephen Smalley
2006-05-15 17:41 ` Stephen Smalley
2006-05-16 12:15 ` Stephen Smalley
2006-05-17 7:54 ` Thomas Bleher
2006-05-17 17:52 ` Karl MacMillan
2006-05-17 19:01 ` Stephen Smalley
2006-05-18 18:14 ` Thomas Bleher
2006-05-19 12:59 ` Stephen Smalley
2006-05-19 13:18 ` Joshua Brindle
2006-05-19 13:18 ` Karl MacMillan
2006-05-23 17:15 ` Stephen Smalley
2006-05-23 18:23 ` Daniel J Walsh
2006-05-23 18:50 ` Stephen Smalley
2006-05-23 20:11 ` Stephen Smalley
2006-05-24 17:24 ` Jeremy Katz
2006-05-24 17:24 ` Jeremy Katz
2006-05-24 18:01 ` Stephen Smalley
2006-05-24 17:24 ` Jeremy Katz
2006-05-24 17:48 ` Stephen Smalley
2006-05-25 15:19 ` Stephen Smalley
2006-05-25 15:28 ` Stephen Smalley
2006-05-26 18:54 ` Jeremy Katz
2006-05-26 20:13 ` Stephen Smalley
2006-05-26 20:16 ` Jeremy Katz
2006-05-17 18:26 ` Stephen Smalley
2006-05-17 18:28 ` Karl MacMillan
2006-05-17 18:43 ` Stephen Smalley
2006-05-19 13:44 ` Stephen Smalley
2006-05-19 13:59 ` Daniel J Walsh [this message]
2006-05-19 14:14 ` Stephen Smalley
2006-05-19 14:20 ` Daniel J Walsh
-- strict thread matches above, loose matches on Subject: below --
2006-05-19 14:05 Joshua Brindle
2006-05-19 14:18 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=446DCF2D.9020902@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux-dev@tresys.com \
--cc=bleher@informatik.uni-muenchen.de \
--cc=jmorris@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.