From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l7SDVxW6032373 for ; Tue, 28 Aug 2007 09:31:59 -0400 Received: from mx1.redhat.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id l7SDVvbH023998 for ; Tue, 28 Aug 2007 13:31:57 GMT Message-ID: <46D423C4.5090906@redhat.com> Date: Tue, 28 Aug 2007 09:31:48 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Ian jonhson CC: SE Linux Subject: Re: About the SELinux in FedoraCore References: <8f34198c0708250022v194622eaqb7926a1ef3508eeb@mail.gmail.com> <46CFED5B.5010607@redhat.com> <8f34198c0708260055t3206d9eajb5e51f9274e99f57@mail.gmail.com> <46D2F37C.6030209@redhat.com> <8f34198c0708272200o245e1edcl47d4004f7b5fa659@mail.gmail.com> In-Reply-To: <8f34198c0708272200o245e1edcl47d4004f7b5fa659@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ian jonhson wrote: > Thank you very much~ > > Could you give me some example about how they do? Especially about how > the process fork its child processes and change their domain contexts. > In this case, I need not to compile the policy, right? Also, I must > predefine some contexts before the parent process do the allocation, > but if there are many contexts needed to allocate, can I predefine > them as a parameters, because I don't know how many context string I > will use ? > > For example, I define them as follows: > > type my_context_%d > > %d is a paremeter, which can be 1,2,3,...., so I can create large > group of contexts as: > > my_context_1 > my_context_2 > my_context_3 > ... > my_context_n > > but not need to do the definition: > > type my_context_1 > type my_context_2 > type my_context_3 > ... > type my_context_n > > The commands you are looking for are setexeccon and setcon. But you need to define all the context in policy and define rules that allow your parent domain to transition to all the children domains. As well as having the ability to setexeccon and setcon. If you look at pam_selinux source code under pam, you will see an example of an application that does this at login. > On 8/27/07, Daniel J Walsh wrote: > Ian jonhson wrote: >>>> It sounds very good. >>>> >>>> Can I change the context of object in user mode dynamically? What I >>>> mean is that I can fork some processes and allocate different context >>>> (or domain context) to them; so they can create their own files >>>> (object) holding different file context. >>>> >>>> I google some references about the selinux in internet, and found many >>>> cases can be dealt with by Apol, and maybe it also needs to compile >>>> the policy file, right? Is it possible that I build a daemon to >>>> allocate different domain context to its child processes? how to do ? > Yes if selinux policy allows, programs can change the context of > processes that they fork/exec. You can also just change the context of > the current running process, but this is not as secure. You should ask > your questions on the selinux@tycho.nsa.gov list >>>> Thank you very much for your advices. >>>> >>>> Ian >>>> >>>> >>>> >>>> On 8/25/07, Daniel J Walsh wrote: >>>> Ian jonhson wrote: >>>>>>> Dear Daniel, >>>>>>> >>>>>>> >>>>>>> I studied your wiki of FedoraCore, but still don't know how to start >>>>>>> my jobs. What I want to do is: >>>>>>> >>>>>>> With the help of SELinux, >>>>>>> >>>>>>> 1. add some identity tag in subject's processes. The tag maybe is a >>>>>>> integer, which can be set in SID of SELINUX. >>>>>>> >>>> SID are inside the kernel. What you call tags are called security >>>> contexts "strings" are used for processes and files/directories. When >>>> they are associated with a process they are sometimes called a domain. >>>> When they are with a physical object they are called a file context. >>>> >>>>>>> 2. the tag mentioned above can be stored in local filesystem, if the >>>>>>> subject's processes create his files or temporary files. In other >>>>>>> words, objects (here, it is files) can hold a tag identified who >>>>>>> created them. >>>>>>> >>>> Well in SELinux there are four parts of the security context. The >>>> SELinux user will be associated with any file created by the process >>>> that creates it. But there is also a file context. So as an example >>>> >>>> system_u:system_r:smbd_t:s0 is the default security context of the >>>> running sampa process. We can set it up so that it has read/only access >>>> to files/directories labeled system_u:object_r:public_content_rw_t:s0 >>>> root:system_r:httpd_t:s0 is the process domain of the apache server, if >>>> it had been restarted by the root SELinux user. It could be setup with >>>> read/write access to system_u:object_r:public_content_rw_t:s0, depending >>>> on how the policy is setup. If apache creates a file in a directory >>>> labeled system_u:object_r:public_content_rw_t:s0, it will get a label >>>> of root:object_r:public_content_rw_t:s0. >>>> >>>> If a third process say named running as system_u:object_r:named_t:s0 >>>> tries to read this file, selinux will deny it. >>>> >>>> >>>> All three of these processes had UID=0 >>>> >>>> Read danwalsh.livejournal.com from the beginning for a full discussion >>>> of how SELinux works. >>>> >>>>>>> 3. when two processes with different tag access a file holding owner's >>>>>>> tag, the SELINUX can distinguish the processed with different tag and >>>>>>> do access control. >>>>>>> >>>>>>> The two processes with different tag can have different uid or, >>>>>>> evenly, same uid, but their tags are not the same. >>>>>>> >>>>>>> How to implement these functionalities? >>>>>>> >>>>>>> Could you give me some advices? >>>>>>> >>>>>>> Thanks advance, >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG1CPDrlYvE4MpobMRArhQAJ43VwG4VWYU9cRBc+OHTnW7uBWv4QCeJdjf P0rOEJlk1MGJBkXsrxIHZnA= =mEtf -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.