From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Daniel J Walsh <dwalsh@redhat.com>,
selinux@tycho.nsa.gov, Darrel Goeddel <dgoeddel@TrustedCS.com>
Subject: Re: How would I go about figuring out if two SELinux MLS Levels intersect?
Date: Wed, 20 Feb 2008 13:13:34 -0500 [thread overview]
Message-ID: <47BC6DCE.4040203@manicmethod.com> (raw)
In-Reply-To: <1203528489.9902.230.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2008-02-20 at 12:25 -0500, Stephen Smalley wrote:
>
>> On Tue, 2008-02-19 at 17:13 -0500, Daniel J Walsh wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> s2:c0-s2:c0.c10 and s2:c9.c10
>>>
>>>
>>> IE How do I do the arbitration/dominance math in Code?
>>>
>> (cc'ing the list)
>>
>> You can model it as a permission check between the two contexts, and
>> then write a MLS constraint in policy that requires dominance or
>> whatever relationship you want. Then it is just an avc_has_perm call.
>> Same thing that we did for permission check in the pam_selinux code to
>> verify that the user's level is within his range. Or what we talked
>> about for applying a permission check in mcstransd to see if the
>> requestor is allowed to translate the context. Not sure that ever got
>> implemented in mcstransd though?
>>
>
> Also, just to note: the MLS dominance logic already exists within
> libsepol and within the kernel security server. We just have to expose
> it via an interface. One way to do that is to express it as a
> permission check, where we already have an interface. Another way would
> be to introduce a new interface specifically for that purpose.
>
I strongly disagree with exporting the security server logic in this
way, that will just encourage people to implement blp in their
application instead of using the security server interface to do
permission checking. This is based off what I've seen people trying to
do, even within the SELinux community, with respect to MLS.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-02-20 18:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <47BB5488.1070008@redhat.com>
2008-02-20 17:25 ` How would I go about figuring out if two SELinux MLS Levels intersect? Stephen Smalley
2008-02-20 17:28 ` Stephen Smalley
2008-02-20 18:13 ` Joshua Brindle [this message]
2008-02-20 18:19 ` Stephen Smalley
2008-02-21 20:50 ` Darrel Goeddel
2008-02-22 0:56 ` Joshua Brindle
2008-02-22 14:23 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BC6DCE.4040203@manicmethod.com \
--to=method@manicmethod.com \
--cc=dgoeddel@TrustedCS.com \
--cc=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.