From: Andy Warner <warner@rubix.com>
To: KaiGai Kohei <kaigai@kaigai.gr.jp>
Cc: KaiGai Kohei <kaigai@ak.jp.nec.com>,
cpebenito@tresys.com, method@manicmethod.com,
selinux@tycho.nsa.gov, refpolicy@oss.tresys.com
Subject: Re: [RFC] Security policy reworks for SE-PostgreSQL
Date: Tue, 31 Mar 2009 22:39:19 +0200 [thread overview]
Message-ID: <49D27F77.4040906@rubix.com> (raw)
In-Reply-To: <49D27E6C.5000106@kaigai.gr.jp>
[-- Attachment #1: Type: text/plain, Size: 1492 bytes --]
KaiGai Kohei wrote:
>> I am referring to things like:
>>
>> mlsconstrain { db_tuple } { use select }
>> (( l1 dom l2 ) or
>> (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
>> ( t1 == mlsdbread ) or
>> ( t2 == mlstrustedobject ));
>>
>
> I noticed the db_xxx:{use} permission remained here. :-)
>
The example I used above is from an older version of the reference policy.
>
>> where t1 == mlsdbread seems to imply an object is trusted to read
>> strictly dominating objects. Unless I am missing the meaning here, I
>> would call this a MAC override. I realize there is no concept of a TE
>> override, but MLS is part of MAC, no? And, this violates B&L rules. This
>> is something we would control with a Security Administrator "role". Or,
>> is this mlsdbread something that is impossible to give to a domain in a
>> DBMS policy?
>>
>
> It is different from my usage of terms.
> Some of domains are allowed to access the tuple, and others are
> disallowed as the result of access controls using the security
> policy.
>
> I understood the term of "MAC override" to express what actions
> are allowed without any checks based on security policy, as if
> root stuff can ignore DAC checks.
>
Ya, definitions, definitions :-) Coming from an MLS world, MAC override
meant superseding the B&L policy. In a general sense we use special
authorizations for that (our Security Admin role), while SELinux has a
built in mechanism (mlsdbread)
> Thanks,
>
[-- Attachment #2: Type: text/html, Size: 2126 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: warner@rubix.com (Andy Warner)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
Date: Tue, 31 Mar 2009 22:39:19 +0200 [thread overview]
Message-ID: <49D27F77.4040906@rubix.com> (raw)
In-Reply-To: <49D27E6C.5000106@kaigai.gr.jp>
KaiGai Kohei wrote:
>> I am referring to things like:
>>
>> mlsconstrain { db_tuple } { use select }
>> (( l1 dom l2 ) or
>> (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
>> ( t1 == mlsdbread ) or
>> ( t2 == mlstrustedobject ));
>>
>
> I noticed the db_xxx:{use} permission remained here. :-)
>
The example I used above is from an older version of the reference policy.
>
>> where t1 == mlsdbread seems to imply an object is trusted to read
>> strictly dominating objects. Unless I am missing the meaning here, I
>> would call this a MAC override. I realize there is no concept of a TE
>> override, but MLS is part of MAC, no? And, this violates B&L rules. This
>> is something we would control with a Security Administrator "role". Or,
>> is this mlsdbread something that is impossible to give to a domain in a
>> DBMS policy?
>>
>
> It is different from my usage of terms.
> Some of domains are allowed to access the tuple, and others are
> disallowed as the result of access controls using the security
> policy.
>
> I understood the term of "MAC override" to express what actions
> are allowed without any checks based on security policy, as if
> root stuff can ignore DAC checks.
>
Ya, definitions, definitions :-) Coming from an MLS world, MAC override
meant superseding the B&L policy. In a general sense we use special
authorizations for that (our Security Admin role), while SELinux has a
built in mechanism (mlsdbread)
> Thanks,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090331/1bdb4cb0/attachment.html
next prev parent reply other threads:[~2009-03-31 20:41 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-31 8:55 [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-03-31 8:55 ` [refpolicy] " KaiGai Kohei
2009-03-31 10:05 ` Andy Warner
2009-03-31 10:05 ` [refpolicy] " Andy Warner
2009-03-31 13:51 ` KaiGai Kohei
2009-03-31 13:51 ` [refpolicy] " KaiGai Kohei
2009-03-31 15:11 ` Andy Warner
2009-03-31 15:11 ` [refpolicy] " Andy Warner
2009-03-31 20:34 ` KaiGai Kohei
2009-03-31 20:34 ` [refpolicy] " KaiGai Kohei
2009-03-31 20:39 ` Andy Warner [this message]
2009-03-31 20:39 ` Andy Warner
2009-03-31 20:46 ` Joshua Brindle
2009-03-31 21:08 ` Andy Warner
2009-03-31 21:08 ` [refpolicy] " Andy Warner
2009-04-01 17:05 ` Joshua Brindle
2009-04-01 0:30 ` KaiGai Kohei
2009-04-01 0:30 ` [refpolicy] " KaiGai Kohei
2009-04-02 8:15 ` KaiGai Kohei
2009-04-02 8:15 ` KaiGai Kohei
2009-04-02 14:27 ` Joshua Brindle
2009-04-02 15:09 ` Christopher J. PeBenito
2009-04-02 15:09 ` Christopher J. PeBenito
2009-04-03 1:17 ` KaiGai Kohei
2009-04-03 1:17 ` KaiGai Kohei
2009-04-03 18:12 ` Joshua Brindle
2009-04-05 0:52 ` KaiGai Kohei
2009-04-05 0:52 ` KaiGai Kohei
2009-04-06 2:15 ` KaiGai Kohei
2009-04-06 2:15 ` KaiGai Kohei
2009-04-06 18:48 ` SELinux packages version (svn2950) Hasan Rezaul-CHR010
2009-04-06 19:18 ` Joshua Brindle
2009-04-06 19:48 ` Hasan Rezaul-CHR010
2009-04-06 20:14 ` Joshua Brindle
2009-04-06 20:30 ` Hasan Rezaul-CHR010
2009-04-06 20:37 ` Joshua Brindle
2009-04-12 23:45 ` [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-04-12 23:45 ` KaiGai Kohei
2009-04-20 20:07 ` Christopher J. PeBenito
2009-04-20 20:07 ` Christopher J. PeBenito
2009-04-20 23:27 ` KaiGai Kohei
2009-04-20 23:27 ` KaiGai Kohei
2009-05-07 12:24 ` Christopher J. PeBenito
2009-05-07 12:24 ` Christopher J. PeBenito
2009-05-08 3:56 ` KaiGai Kohei
2009-05-08 3:56 ` KaiGai Kohei
2009-05-08 4:05 ` KaiGai Kohei
2009-05-08 4:05 ` KaiGai Kohei
2009-05-21 11:49 ` Christopher J. PeBenito
2009-05-21 11:49 ` Christopher J. PeBenito
2009-05-08 4:12 ` KaiGai Kohei
2009-05-08 4:12 ` KaiGai Kohei
2009-05-22 13:38 ` Christopher J. PeBenito
2009-05-22 13:38 ` Christopher J. PeBenito
2009-05-21 11:28 ` Christopher J. PeBenito
2009-05-21 11:28 ` Christopher J. PeBenito
2009-04-21 2:51 ` KaiGai Kohei
2009-04-21 2:51 ` KaiGai Kohei
2009-05-07 13:08 ` Christopher J. PeBenito
2009-05-07 13:08 ` Christopher J. PeBenito
2009-04-03 0:25 ` KaiGai Kohei
2009-04-03 0:25 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49D27F77.4040906@rubix.com \
--to=warner@rubix.com \
--cc=cpebenito@tresys.com \
--cc=kaigai@ak.jp.nec.com \
--cc=kaigai@kaigai.gr.jp \
--cc=method@manicmethod.com \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.