Re: About the SELinux in FedoraCore

Re: About the SELinux in FedoraCore

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian jonhson wrote:
> It sounds very good.
> 
> Can I change the context of object in user mode dynamically? What I
> mean is that I can fork some processes and allocate different context
> (or domain context) to them; so they can create their own files
> (object) holding different file context.
> 
> I google some references about the selinux in internet, and found many
> cases can be dealt with by Apol, and maybe it also needs to compile
> the policy file, right? Is it possible that I build a daemon to
> allocate different domain context to its child processes? how to do ?
Yes if selinux policy allows, programs can change the context of
processes that they fork/exec.  You can also just change the context of
the current running process, but this is not as secure.  You should ask
your questions on the selinux@tycho.nsa.gov list
> 
> Thank you very much for  your advices.
> 
> Ian
> 
> 
> 
> On 8/25/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Ian jonhson wrote:
>>>> Dear Daniel,
>>>>
>>>>
>>>> I studied your wiki of FedoraCore, but still don't know how to start
>>>> my jobs. What I want to do is:
>>>>
>>>> With the help of SELinux,
>>>>
>>>> 1. add some identity tag in subject's processes. The tag maybe is a
>>>> integer, which can be set in SID of SELINUX.
>>>>
> SID are inside the kernel.  What you call tags are called security
> contexts "strings" are used for processes and files/directories.  When
> they are associated with a process they are sometimes called a domain.
> When they are with a physical object they are called a file context.
> 
>>>> 2. the tag mentioned above can be stored in local filesystem, if the
>>>> subject's processes create his files or temporary files. In other
>>>> words, objects (here, it is files) can hold a tag identified who
>>>> created them.
>>>>
> Well in SELinux there are four parts of the security context.  The
> SELinux user will be associated with any file created by the process
> that creates it.  But there is also a file context.  So as an example
> 
> system_u:system_r:smbd_t:s0 is the default security context of the
> running sampa process.  We can set it up so that it has read/only access
> to files/directories  labeled system_u:object_r:public_content_rw_t:s0
> root:system_r:httpd_t:s0 is the process domain of the apache server, if
> it had been restarted by the root SELinux user.  It could be setup with
> read/write access to system_u:object_r:public_content_rw_t:s0, depending
> on how the policy is setup.  If apache creates a file in a directory
> labeled system_u:object_r:public_content_rw_t:s0, it will get a label
> of root:object_r:public_content_rw_t:s0.
> 
> If a third process say named running as system_u:object_r:named_t:s0
> tries to read this file, selinux will deny it.
> 
> 
> All three of these processes had UID=0
> 
> Read danwalsh.livejournal.com from the beginning for a full discussion
> of how SELinux works.
> 
>>>> 3. when two processes with different tag access a file holding owner's
>>>> tag, the SELINUX can distinguish the processed with different tag and
>>>> do access control.
>>>>
>>>> The two processes with different tag can have different uid or,
>>>> evenly, same uid, but their tags are not the same.
>>>>
>>>> How to implement these functionalities?
>>>>
>>>> Could you give me some advices?
>>>>
>>>> Thanks advance,
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG0vN7rlYvE4MpobMRAgN/AJ9iLQnUYhuEhmuYZhEKPzZwWM/ItgCfSOBg
i30HYwWoxY3awdVUGMXtvmI=
=ch01
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: About the SELinux in FedoraCore

[Ian jonhson]

Thank you very much~

Could you give me some example about how they do? Especially about how
the process fork its child processes and change their domain contexts.
In this case, I need not to compile the policy, right? Also, I must
predefine some contexts before the parent process do the allocation,
but if there are many contexts needed to allocate, can I predefine
them as a parameters, because I don't know how many context string I
will use ?

For example, I define them as follows:

type my_context_%d

%d is a paremeter, which can be 1,2,3,...., so I can create large
group of contexts as:

my_context_1
my_context_2
my_context_3
...
my_context_n

but not need to do the definition:

type my_context_1
type my_context_2
type my_context_3
...
type my_context_n


On 8/27/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ian jonhson wrote:
> > It sounds very good.
> >
> > Can I change the context of object in user mode dynamically? What I
> > mean is that I can fork some processes and allocate different context
> > (or domain context) to them; so they can create their own files
> > (object) holding different file context.
> >
> > I google some references about the selinux in internet, and found many
> > cases can be dealt with by Apol, and maybe it also needs to compile
> > the policy file, right? Is it possible that I build a daemon to
> > allocate different domain context to its child processes? how to do ?
> Yes if selinux policy allows, programs can change the context of
> processes that they fork/exec.  You can also just change the context of
> the current running process, but this is not as secure.  You should ask
> your questions on the selinux@tycho.nsa.gov list
> >
> > Thank you very much for  your advices.
> >
> > Ian
> >
> >
> >
> > On 8/25/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > Ian jonhson wrote:
> >>>> Dear Daniel,
> >>>>
> >>>>
> >>>> I studied your wiki of FedoraCore, but still don't know how to start
> >>>> my jobs. What I want to do is:
> >>>>
> >>>> With the help of SELinux,
> >>>>
> >>>> 1. add some identity tag in subject's processes. The tag maybe is a
> >>>> integer, which can be set in SID of SELINUX.
> >>>>
> > SID are inside the kernel.  What you call tags are called security
> > contexts "strings" are used for processes and files/directories.  When
> > they are associated with a process they are sometimes called a domain.
> > When they are with a physical object they are called a file context.
> >
> >>>> 2. the tag mentioned above can be stored in local filesystem, if the
> >>>> subject's processes create his files or temporary files. In other
> >>>> words, objects (here, it is files) can hold a tag identified who
> >>>> created them.
> >>>>
> > Well in SELinux there are four parts of the security context.  The
> > SELinux user will be associated with any file created by the process
> > that creates it.  But there is also a file context.  So as an example
> >
> > system_u:system_r:smbd_t:s0 is the default security context of the
> > running sampa process.  We can set it up so that it has read/only access
> > to files/directories  labeled system_u:object_r:public_content_rw_t:s0
> > root:system_r:httpd_t:s0 is the process domain of the apache server, if
> > it had been restarted by the root SELinux user.  It could be setup with
> > read/write access to system_u:object_r:public_content_rw_t:s0, depending
> > on how the policy is setup.  If apache creates a file in a directory
> > labeled system_u:object_r:public_content_rw_t:s0, it will get a label
> > of root:object_r:public_content_rw_t:s0.
> >
> > If a third process say named running as system_u:object_r:named_t:s0
> > tries to read this file, selinux will deny it.
> >
> >
> > All three of these processes had UID=0
> >
> > Read danwalsh.livejournal.com from the beginning for a full discussion
> > of how SELinux works.
> >
> >>>> 3. when two processes with different tag access a file holding owner's
> >>>> tag, the SELINUX can distinguish the processed with different tag and
> >>>> do access control.
> >>>>
> >>>> The two processes with different tag can have different uid or,
> >>>> evenly, same uid, but their tags are not the same.
> >>>>
> >>>> How to implement these functionalities?
> >>>>
> >>>> Could you give me some advices?
> >>>>
> >>>> Thanks advance,
> >>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFG0vN7rlYvE4MpobMRAgN/AJ9iLQnUYhuEhmuYZhEKPzZwWM/ItgCfSOBg
> i30HYwWoxY3awdVUGMXtvmI=
> =ch01
> -----END PGP SIGNATURE-----
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: About the SELinux in FedoraCore

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian jonhson wrote:
> Thank you very much~
> 
> Could you give me some example about how they do? Especially about how
> the process fork its child processes and change their domain contexts.
> In this case, I need not to compile the policy, right? Also, I must
> predefine some contexts before the parent process do the allocation,
> but if there are many contexts needed to allocate, can I predefine
> them as a parameters, because I don't know how many context string I
> will use ?
> 
> For example, I define them as follows:
> 
> type my_context_%d
> 
> %d is a paremeter, which can be 1,2,3,...., so I can create large
> group of contexts as:
> 
> my_context_1
> my_context_2
> my_context_3
> ...
> my_context_n
> 
> but not need to do the definition:
> 
> type my_context_1
> type my_context_2
> type my_context_3
> ...
> type my_context_n
> 
> 
The commands you are looking for are setexeccon and setcon.  But you
need to define all the context in policy and define rules that allow
your parent domain to transition to all the children domains.  As well
as having the ability to setexeccon and setcon.  If you look at
pam_selinux source code under pam, you will see an example of an
application that does this at login.
> On 8/27/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Ian jonhson wrote:
>>>> It sounds very good.
>>>>
>>>> Can I change the context of object in user mode dynamically? What I
>>>> mean is that I can fork some processes and allocate different context
>>>> (or domain context) to them; so they can create their own files
>>>> (object) holding different file context.
>>>>
>>>> I google some references about the selinux in internet, and found many
>>>> cases can be dealt with by Apol, and maybe it also needs to compile
>>>> the policy file, right? Is it possible that I build a daemon to
>>>> allocate different domain context to its child processes? how to do ?
> Yes if selinux policy allows, programs can change the context of
> processes that they fork/exec.  You can also just change the context of
> the current running process, but this is not as secure.  You should ask
> your questions on the selinux@tycho.nsa.gov list
>>>> Thank you very much for  your advices.
>>>>
>>>> Ian
>>>>
>>>>
>>>>
>>>> On 8/25/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
>>>> Ian jonhson wrote:
>>>>>>> Dear Daniel,
>>>>>>>
>>>>>>>
>>>>>>> I studied your wiki of FedoraCore, but still don't know how to start
>>>>>>> my jobs. What I want to do is:
>>>>>>>
>>>>>>> With the help of SELinux,
>>>>>>>
>>>>>>> 1. add some identity tag in subject's processes. The tag maybe is a
>>>>>>> integer, which can be set in SID of SELINUX.
>>>>>>>
>>>> SID are inside the kernel.  What you call tags are called security
>>>> contexts "strings" are used for processes and files/directories.  When
>>>> they are associated with a process they are sometimes called a domain.
>>>> When they are with a physical object they are called a file context.
>>>>
>>>>>>> 2. the tag mentioned above can be stored in local filesystem, if the
>>>>>>> subject's processes create his files or temporary files. In other
>>>>>>> words, objects (here, it is files) can hold a tag identified who
>>>>>>> created them.
>>>>>>>
>>>> Well in SELinux there are four parts of the security context.  The
>>>> SELinux user will be associated with any file created by the process
>>>> that creates it.  But there is also a file context.  So as an example
>>>>
>>>> system_u:system_r:smbd_t:s0 is the default security context of the
>>>> running sampa process.  We can set it up so that it has read/only access
>>>> to files/directories  labeled system_u:object_r:public_content_rw_t:s0
>>>> root:system_r:httpd_t:s0 is the process domain of the apache server, if
>>>> it had been restarted by the root SELinux user.  It could be setup with
>>>> read/write access to system_u:object_r:public_content_rw_t:s0, depending
>>>> on how the policy is setup.  If apache creates a file in a directory
>>>> labeled system_u:object_r:public_content_rw_t:s0, it will get a label
>>>> of root:object_r:public_content_rw_t:s0.
>>>>
>>>> If a third process say named running as system_u:object_r:named_t:s0
>>>> tries to read this file, selinux will deny it.
>>>>
>>>>
>>>> All three of these processes had UID=0
>>>>
>>>> Read danwalsh.livejournal.com from the beginning for a full discussion
>>>> of how SELinux works.
>>>>
>>>>>>> 3. when two processes with different tag access a file holding owner's
>>>>>>> tag, the SELINUX can distinguish the processed with different tag and
>>>>>>> do access control.
>>>>>>>
>>>>>>> The two processes with different tag can have different uid or,
>>>>>>> evenly, same uid, but their tags are not the same.
>>>>>>>
>>>>>>> How to implement these functionalities?
>>>>>>>
>>>>>>> Could you give me some advices?
>>>>>>>
>>>>>>> Thanks advance,
>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG1CPDrlYvE4MpobMRArhQAJ43VwG4VWYU9cRBc+OHTnW7uBWv4QCeJdjf
P0rOEJlk1MGJBkXsrxIHZnA=
=mEtf
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.