* Revocation Support @ 2006-05-28 11:50 Mohammad Mahmoudi 2006-05-28 21:18 ` Erich Schubert 2006-05-28 21:54 ` Joshua Brindle 0 siblings, 2 replies; 5+ messages in thread From: Mohammad Mahmoudi @ 2006-05-28 11:50 UTC (permalink / raw) To: SELinux Does SELinux support revocation of permissions? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Revocation Support 2006-05-28 11:50 Revocation Support Mohammad Mahmoudi @ 2006-05-28 21:18 ` Erich Schubert 2006-05-28 21:54 ` Joshua Brindle 1 sibling, 0 replies; 5+ messages in thread From: Erich Schubert @ 2006-05-28 21:18 UTC (permalink / raw) To: Mohammad Mahmoudi; +Cc: SELinux Hi, > Does SELinux support revocation of permissions? Be more verbose _what_ you want to do, please. best regards, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ To be trusted is a greater complement than to be loved. //\ Es gibt wenig aufrichtige Freunde. Die Nachfrage ist auch gering. V_/_ --- Marie von Ebner-Eschenbach -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Revocation Support 2006-05-28 11:50 Revocation Support Mohammad Mahmoudi 2006-05-28 21:18 ` Erich Schubert @ 2006-05-28 21:54 ` Joshua Brindle 2006-05-28 22:14 ` Joshua Brindle 2006-05-30 15:12 ` Stephen Smalley 1 sibling, 2 replies; 5+ messages in thread From: Joshua Brindle @ 2006-05-28 21:54 UTC (permalink / raw) To: Mohammad Mahmoudi; +Cc: SELinux Mohammad Mahmoudi wrote: > Does SELinux support revocation of permissions? > The FLASK architecture, which SELinux is based on, does indeed support revocation by allowing object managers to register callbacks with the security server. However, on SELinux, this is not currently in use. So direct revocation where the object managers actively remove access to objects after a policy change doesn't happen. However, on some object classes permission is revalidated on every object use (like files and file descriptors). So, even though a process has a file descriptor to a file it previously had access top open, if the permissions change to that file type the next read or write operation will fail which essentially revokes access to it. This should be the case on a file types, fds, sockets, ipc (except shared memory). Hope this helps.. <http://us.rd.yahoo.com/mymod/showtimes/X-Men:%20The%20Last%20Stand/SIG=13eg95e87/*https://www.movietickets.com/purchase.asp?afid=myyah&house_id=8612&movie_id=44681&perfd=05282006&perft=23:30> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Revocation Support 2006-05-28 21:54 ` Joshua Brindle @ 2006-05-28 22:14 ` Joshua Brindle 2006-05-30 15:12 ` Stephen Smalley 1 sibling, 0 replies; 5+ messages in thread From: Joshua Brindle @ 2006-05-28 22:14 UTC (permalink / raw) To: Mohammad Mahmoudi; +Cc: SELinux Joshua Brindle wrote: > Mohammad Mahmoudi wrote: >> Does SELinux support revocation of permissions? >> > The FLASK architecture, which SELinux is based on, does indeed support > revocation by allowing object managers to register callbacks with the > security server. However, on SELinux, this is not currently in use. So > direct revocation where the object managers actively remove access to > objects after a policy change doesn't happen. > > However, on some object classes permission is revalidated on every > object use (like files and file descriptors). So, even though a > process has a file descriptor to a file it previously had access top > open, if the permissions change to that file type the next read or > write operation will fail which essentially revokes access to it. This > should be the case on a file types, fds, sockets, ipc (except shared > memory). > > Hope this helps.. > <http://us.rd.yahoo.com/mymod/showtimes/X-Men:%20The%20Last%20Stand/SIG=13eg95e87/*https://www.movietickets.com/purchase.asp?afid=myyah&house_id=8612&movie_id=44681&perfd=05282006&perft=23:30> > > Neat, I dont' know how that link got in my email but it was obviously an accident :) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Revocation Support 2006-05-28 21:54 ` Joshua Brindle 2006-05-28 22:14 ` Joshua Brindle @ 2006-05-30 15:12 ` Stephen Smalley 1 sibling, 0 replies; 5+ messages in thread From: Stephen Smalley @ 2006-05-30 15:12 UTC (permalink / raw) To: Joshua Brindle; +Cc: Mohammad Mahmoudi, SELinux On Sun, 2006-05-28 at 17:54 -0400, Joshua Brindle wrote: > Mohammad Mahmoudi wrote: > > Does SELinux support revocation of permissions? > > > The FLASK architecture, which SELinux is based on, does indeed support > revocation by allowing object managers to register callbacks with the > security server. However, on SELinux, this is not currently in use. So > direct revocation where the object managers actively remove access to > objects after a policy change doesn't happen. > > However, on some object classes permission is revalidated on every > object use (like files and file descriptors). So, even though a process > has a file descriptor to a file it previously had access top open, if > the permissions change to that file type the next read or write > operation will fail which essentially revokes access to it. This should > be the case on a file types, fds, sockets, ipc (except shared memory). Further, SELinux checks access to descriptors upon execve when the security context changes, and when descriptors are received via local IPC. This controls propagation of the access rights among security contexts. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-05-30 15:12 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-05-28 11:50 Revocation Support Mohammad Mahmoudi 2006-05-28 21:18 ` Erich Schubert 2006-05-28 21:54 ` Joshua Brindle 2006-05-28 22:14 ` Joshua Brindle 2006-05-30 15:12 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.