[PATCH] MLS context contains policy/libselinux changes

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] MLS context contains policy/libselinux changes
@ 2006-11-07 21:51 James Antill
  2006-11-08  6:32 ` Joshua Brindle
  2006-11-14 13:38 ` Christopher J. PeBenito
  0 siblings, 2 replies; 6+ messages in thread
From: James Antill @ 2006-11-07 21:51 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: redhat-lspp, SE Linux, Stephen Smalley


[-- Attachment #1.1: Type: text/plain, Size: 307 bytes --]


 Here is the policy changes needed for the context contains security
checking in PAM and cron.

-- 
James Antill - <james.antill@redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET,  SO_ATTACH_FILTER, ...);


[-- Attachment #1.2: MLS Range checking for cron/PAM --]
[-- Type: text/x-patch, Size: 1095 bytes --]

Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors	(revision 2078)
+++ policy/flask/access_vectors	(working copy)
@@ -635,4 +635,5 @@
 class context
 {
 	translate
+	contains
 }
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if	(revision 2078)
+++ policy/modules/system/userdomain.if	(working copy)
@@ -51,6 +51,8 @@
 	allow $1_t self:msg { send receive };
 	dontaudit $1_t self:socket create;
 
+	allow $1_t self:context contains;
+
 	allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
 	term_create_pty($1_t,$1_devpts_t)
 
Index: policy/mls
===================================================================
--- policy/mls	(revision 2078)
+++ policy/mls	(working copy)
@@ -597,4 +597,7 @@
 mlsconstrain context translate
 	(( h1 dom h2 ) or ( t1 == mlstranslate ));
 
+mlsconstrain context contains
+	( h1 dom h2 );
+
 ') dnl end enable_mls

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] MLS context contains policy/libselinux changes
  2006-11-07 21:51 [PATCH] MLS context contains policy/libselinux changes James Antill
@ 2006-11-08  6:32 ` Joshua Brindle
  2006-11-08  6:40   ` James Antill
  2006-11-14 13:38 ` Christopher J. PeBenito
  1 sibling, 1 reply; 6+ messages in thread
From: Joshua Brindle @ 2006-11-08  6:32 UTC (permalink / raw)
  To: James Antill
  Cc: Christopher J. PeBenito, redhat-lspp, SE Linux, Stephen Smalley

James Antill wrote:
>  Here is the policy changes needed for the context contains security
> checking in PAM and cron.
> 

er, where did this come from? I haven't seen any discussions about this 
and have no idea what its about (perhaps I've just totally missed it 
somehow though..)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] MLS context contains policy/libselinux changes
  2006-11-08  6:32 ` Joshua Brindle
@ 2006-11-08  6:40   ` James Antill
  2006-11-08 13:31     ` Joshua Brindle
  0 siblings, 1 reply; 6+ messages in thread
From: James Antill @ 2006-11-08  6:40 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: Christopher J. PeBenito, redhat-lspp, SE Linux, Stephen Smalley

[-- Attachment #1: Type: text/plain, Size: 492 bytes --]

On Wed, 2006-11-08 at 01:32 -0500, Joshua Brindle wrote:
> James Antill wrote:
> >  Here is the policy changes needed for the context contains security
> > checking in PAM and cron.
> > 
> 
> er, where did this come from? I haven't seen any discussions about this 
> and have no idea what its about (perhaps I've just totally missed it 
> somehow though..)

 The gory details were under the thread "MLS enforcing PTYs, sshd, and
newrole"

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH] MLS context contains policy/libselinux changes
  2006-11-08  6:40   ` James Antill
@ 2006-11-08 13:31     ` Joshua Brindle
  2006-11-08 14:00       ` Stephen Smalley
  0 siblings, 1 reply; 6+ messages in thread
From: Joshua Brindle @ 2006-11-08 13:31 UTC (permalink / raw)
  To: James Antill
  Cc: Christopher J. PeBenito, redhat-lspp, SE Linux, Stephen Smalley

> From: James Antill [mailto:jantill@redhat.com] 
> 
> On Wed, 2006-11-08 at 01:32 -0500, Joshua Brindle wrote:
> > James Antill wrote:
> > >  Here is the policy changes needed for the context 
> contains security 
> > > checking in PAM and cron.
> > > 
> > 
> > er, where did this come from? I haven't seen any discussions about 
> > this and have no idea what its about (perhaps I've just 
> totally missed 
> > it somehow though..)
> 
>  The gory details were under the thread "MLS enforcing PTYs, 
> sshd, and newrole"
> 

Ah, well that explains it, that thread was way too long and had MLS in
the subject.....

Any way I could get a summary/conclusion and description of the new
permission?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: [PATCH] MLS context contains policy/libselinux changes
  2006-11-08 13:31     ` Joshua Brindle
@ 2006-11-08 14:00       ` Stephen Smalley
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2006-11-08 14:00 UTC (permalink / raw)
  To: Joshua Brindle
  Cc: James Antill, Christopher J. PeBenito, redhat-lspp, SE Linux

On Wed, 2006-11-08 at 08:31 -0500, Joshua Brindle wrote:
> > From: James Antill [mailto:jantill@redhat.com] 
> > 
> > On Wed, 2006-11-08 at 01:32 -0500, Joshua Brindle wrote:
> > > James Antill wrote:
> > > >  Here is the policy changes needed for the context 
> > contains security 
> > > > checking in PAM and cron.
> > > > 
> > > 
> > > er, where did this come from? I haven't seen any discussions about 
> > > this and have no idea what its about (perhaps I've just 
> > totally missed 
> > > it somehow though..)
> > 
> >  The gory details were under the thread "MLS enforcing PTYs, 
> > sshd, and newrole"
> > 
> 
> Ah, well that explains it, that thread was way too long and had MLS in
> the subject.....
> 
> Any way I could get a summary/conclusion and description of the new
> permission?

If we allow users to enter a level at login time (or specify a level for
a cron job), then we need to check that the Linux user was authorized
for that level (based on seusers).  As this gets into level comparisons,
which are policy-specific, it requires a permission check to the
security server.  The check is applied between a context generated from
the seusers entry for the user and the context modified with the
user-specified level.  The TE policy then authorizes it for the self
relationship (since the types are the same in both contexts), and the
MLS constraints ensure that the user-specified level is within the
seusers-specified clearance.  Same basic idea as the existing context
translate permission used to similarly check the ability of the user to
translate a given MLS level.

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] MLS context contains policy/libselinux changes
  2006-11-07 21:51 [PATCH] MLS context contains policy/libselinux changes James Antill
  2006-11-08  6:32 ` Joshua Brindle
@ 2006-11-14 13:38 ` Christopher J. PeBenito
  1 sibling, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2006-11-14 13:38 UTC (permalink / raw)
  To: James Antill; +Cc: redhat-lspp, SE Linux, Stephen Smalley

On Tue, 2006-11-07 at 16:51 -0500, James Antill wrote:
>  Here is the policy changes needed for the context contains security
> checking in PAM and cron.

Merged.  Added require block to userdomain change since context is a
userland object class and thus not automatically required by the
gen_require() macro.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2006-11-14 13:38 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-07 21:51 [PATCH] MLS context contains policy/libselinux changes James Antill
2006-11-08  6:32 ` Joshua Brindle
2006-11-08  6:40   ` James Antill
2006-11-08 13:31     ` Joshua Brindle
2006-11-08 14:00       ` Stephen Smalley
2006-11-14 13:38 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.