Revocation Support

Revocation Support

[Mohammad Mahmoudi]

Does SELinux support revocation of permissions?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Revocation Support

[Erich Schubert]

Hi,
> Does SELinux support revocation of permissions?

Be more verbose _what_ you want to do, please.

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       To be trusted is a greater complement than to be loved.       //\
  Es gibt wenig aufrichtige Freunde. Die Nachfrage ist auch gering.  V_/_
                    --- Marie von Ebner-Eschenbach


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Revocation Support

[Joshua Brindle]

Mohammad Mahmoudi wrote:
> Does SELinux support revocation of permissions?
>   
The FLASK architecture, which SELinux is based on, does indeed support 
revocation by allowing object managers to register callbacks with the 
security server. However, on SELinux, this is not currently in use. So 
direct revocation where the object managers actively remove access to 
objects after a policy change doesn't happen.

However, on some object classes permission is revalidated on every 
object use (like files and file descriptors). So, even though a process 
has a file descriptor to a file it previously had access top open, if 
the permissions change to that file type the next read or write 
operation will fail which essentially revokes access to it. This should 
be the case on a file types, fds, sockets, ipc (except shared memory).

Hope this helps..
<http://us.rd.yahoo.com/mymod/showtimes/X-Men:%20The%20Last%20Stand/SIG=13eg95e87/*https://www.movietickets.com/purchase.asp?afid=myyah&house_id=8612&movie_id=44681&perfd=05282006&perft=23:30> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Revocation Support

[Joshua Brindle]

Joshua Brindle wrote:
> Mohammad Mahmoudi wrote:
>> Does SELinux support revocation of permissions?
>>   
> The FLASK architecture, which SELinux is based on, does indeed support 
> revocation by allowing object managers to register callbacks with the 
> security server. However, on SELinux, this is not currently in use. So 
> direct revocation where the object managers actively remove access to 
> objects after a policy change doesn't happen.
>
> However, on some object classes permission is revalidated on every 
> object use (like files and file descriptors). So, even though a 
> process has a file descriptor to a file it previously had access top 
> open, if the permissions change to that file type the next read or 
> write operation will fail which essentially revokes access to it. This 
> should be the case on a file types, fds, sockets, ipc (except shared 
> memory).
>
> Hope this helps..
> <http://us.rd.yahoo.com/mymod/showtimes/X-Men:%20The%20Last%20Stand/SIG=13eg95e87/*https://www.movietickets.com/purchase.asp?afid=myyah&house_id=8612&movie_id=44681&perfd=05282006&perft=23:30> 
>
>
Neat, I dont' know how that link got in my email but it was obviously an 
accident :)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Revocation Support

[Stephen Smalley]

On Sun, 2006-05-28 at 17:54 -0400, Joshua Brindle wrote:
> Mohammad Mahmoudi wrote:
> > Does SELinux support revocation of permissions?
> >   
> The FLASK architecture, which SELinux is based on, does indeed support 
> revocation by allowing object managers to register callbacks with the 
> security server. However, on SELinux, this is not currently in use. So 
> direct revocation where the object managers actively remove access to 
> objects after a policy change doesn't happen.
> 
> However, on some object classes permission is revalidated on every 
> object use (like files and file descriptors). So, even though a process 
> has a file descriptor to a file it previously had access top open, if 
> the permissions change to that file type the next read or write 
> operation will fail which essentially revokes access to it. This should 
> be the case on a file types, fds, sockets, ipc (except shared memory).

Further, SELinux checks access to descriptors upon execve when the
security context changes, and when descriptors are received via local
IPC.  This controls propagation of the access rights among security
contexts.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.