Re: questions about persistent storage of security contexts

[Andy Warner <warner@rubix.com>]

[-- Attachment #1: Type: text/plain, Size: 2973 bytes --]



Stephen Smalley wrote:
> On Tue, 2008-07-22 at 13:58 +0200, Andy Warner wrote:
>   
>> Thanks for the info, all is now clear!
>>
>> One more question (from an SELinux newbie!) that has been nagging away
>> at me in regards to the MLS portion of the security context. In the
>> MLS label we have the sensitivity (s0, s1, etc) and the category (c0,
>> c2, etc). Now, as for the categories, its seems clear that in order
>> for label1 to (potentially) dominate label2, then label1 must contain
>> all the categories contained in label2 (i.e., *:c1,c3 can potentially
>> dominate *:c3 where as *:c1 can never dominate *:c3). c0, c1, etc are
>> just names of categories and the only relationship between them is
>> equality or non-equality.
>>
>> But with the sensitivity we have an ordering relationship, e.g., s3 is
>> greater than (or higher, or strictly dominates) s1. The numbering
>> applied to the sensitivity seems to imply (or define?) what that
>> ordering is (s3 is greater than s1 because 3 is greater than 1). Is
>> this numerical ordering a fixed part of the SELinux MLS policy or are
>> the sensitivities simply "names" and how the policy is written defines
>> the ordering. That is, is it possible for a configuration of SELinux
>> MLS to have s0 strictly dominate s3?
>>     
>
> Yes - they are just names and the dominance relationship is defined by
> the policy configuration.
>
> Computing dominance has been handled in a couple of different ways in
> the past:
> 1) Model it as a permission check, with a MLS constraint defined on the
> permission and allowing the type relationship.
> 2) Introduce an interface to the kernel security server to provide
> dominance computations.
>
> See the mailing list archives for more discussion.
>
>   
Is there any requirement that the MLS policy be Bell-LaPadula ? Or can 
it contain arbitrary information flows? (I am guessing the latter). If 
not BL, then does that make dominance relationships only something that 
can be determined for a subset of policy instances? I am assuming the 
LSPP evaluation uses a BL policy instance (?).

Thanks again for the info!

>> My reason for asking is, if the "numerical ordering" of the
>> sensitivities is always true then I can easily write my own functions
>> to perform dominance checks of the MLS labels and those functions do
>> not need to consult the SELinux API. If the sensitivities are just
>> "names" and the policy instance can define any ordering relationship,
>> then any functions written to perform dominance checks must call the
>> SELinux API and seem non-trivial because no dominance check (only) API
>> is provided and the TE behavior will somehow need to be "filtered"
>> from the security check result.
>>     
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>   

[-- Attachment #2: Type: text/html, Size: 3549 bytes --]