* do SELinux write/read permission checks exist?
@ 2006-11-22 13:49 Michael C Thompson
2006-11-22 14:36 ` Stephen Smalley
2006-11-22 14:51 ` Paul Moore
0 siblings, 2 replies; 3+ messages in thread
From: Michael C Thompson @ 2006-11-22 13:49 UTC (permalink / raw)
To: SE Linux
So, I've managed to loose track of this in my mind, but does SELinux do
permission checks for sys_read and sys_write?
Thanks,
Mike
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: do SELinux write/read permission checks exist?
2006-11-22 13:49 do SELinux write/read permission checks exist? Michael C Thompson
@ 2006-11-22 14:36 ` Stephen Smalley
2006-11-22 14:51 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2006-11-22 14:36 UTC (permalink / raw)
To: Michael C Thompson; +Cc: SE Linux
On Wed, 2006-11-22 at 07:49 -0600, Michael C Thompson wrote:
> So, I've managed to loose track of this in my mind, but does SELinux do
> permission checks for sys_read and sys_write?
Yes, they are covered by the security_file_permission ->
selinux_file_permission hooks. However, for SELinux, those checks are
only for revalidation purposes to support revocation upon file relabels
or policy changes (and such revocation support is incomplete, e.g.
memory-mapped files, in-progress operations).
A check should always be applied when a descriptor is obtained by a
process, e.g. the SELinux checking on open (selinux_inode_permission),
descriptor inheritance across execve (selinux_bprm_post_apply_creds),
and descriptor transfer across local IPC (selinux_file_receive), so that
a process can never obtain a descriptor for which it is not authorized.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: do SELinux write/read permission checks exist?
2006-11-22 13:49 do SELinux write/read permission checks exist? Michael C Thompson
2006-11-22 14:36 ` Stephen Smalley
@ 2006-11-22 14:51 ` Paul Moore
1 sibling, 0 replies; 3+ messages in thread
From: Paul Moore @ 2006-11-22 14:51 UTC (permalink / raw)
To: Michael C Thompson; +Cc: SE Linux
Michael C Thompson wrote:
> So, I've managed to loose track of this in my mind, but does SELinux do
> permission checks for sys_read and sys_write?
Take a look at vfs_write() and vfs_read() and you will see that they both call
the LSM security_file_permission() hook which under SELinux is defined by the
selinux_file_permission in security/selinux/hooks.c.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-11-22 14:51 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-22 13:49 do SELinux write/read permission checks exist? Michael C Thompson
2006-11-22 14:36 ` Stephen Smalley
2006-11-22 14:51 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.