diff for duplicates of <49D28656.1090504@rubix.com> diff --git a/a/1.txt b/N1/1.txt index 35816a5..8966162 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -79,4 +79,7 @@ it may target specific objects, specific subjects, and specific overrides. > > http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html > -> +> +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090331/46c8b960/attachment.html diff --git a/a/2.bin b/a/2.bin deleted file mode 100644 index b4d7bd6..0000000 --- a/a/2.bin +++ /dev/null @@ -1,111 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html> -<head> - <meta content="text/html;charset=ISO-2022-JP" - http-equiv="Content-Type"> -</head> -<body bgcolor="#ffffff" text="#000000"> -<br> -<br> -Joshua Brindle wrote: -<blockquote cite="mid:49D2812B.50504@manicmethod.com" type="cite"> - <pre wrap="">Andy Warner wrote: - </pre> - <blockquote type="cite"> - <pre wrap=""> -KaiGai Kohei wrote: - </pre> - <blockquote type="cite"> - <blockquote type="cite"> - <pre wrap="">I am referring to things like: - -mlsconstrain { db_tuple } { use select } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - - </pre> - </blockquote> - <pre wrap="">I noticed the db_xxx:{use} permission remained here. :-) - - </pre> - </blockquote> - <pre wrap="">The example I used above is from an older version of the reference policy. - </pre> - <blockquote type="cite"> - <pre wrap=""> - </pre> - <blockquote type="cite"> - <pre wrap="">where t1 == mlsdbread seems to imply an object is trusted to read -strictly dominating objects. Unless I am missing the meaning here, I -would call this a MAC override. I realize there is no concept of a TE -override, but MLS is part of MAC, no? And, this violates B&L rules. This -is something we would control with a Security Administrator "role". Or, -is this mlsdbread something that is impossible to give to a domain in a -DBMS policy? - - </pre> - </blockquote> - <pre wrap="">It is different from my usage of terms. -Some of domains are allowed to access the tuple, and others are -disallowed as the result of access controls using the security -policy. - -I understood the term of "MAC override" to express what actions -are allowed without any checks based on security policy, as if -root stuff can ignore DAC checks. - - </pre> - </blockquote> - <pre wrap="">Ya, definitions, definitions :-) Coming from an MLS world, MAC override -meant superseding the B&L policy. In a general sense we use special -authorizations for that (our Security Admin role), while SELinux has a -built in mechanism (mlsdbread) - </pre> - </blockquote> - <pre wrap=""><!----> -SELinux doesn't have a built in mechanism, </pre> -</blockquote> -<br> -By built in mechanism I meant exactly what you describe below. Maybe it -wasn't the best choice of words. The SELinux policy (the MLS policy) -provides a mechanism for the policy writer to assign the ability to -violate B&L information flow. Thus, it would be redundant for the -db_database object to have a permissions for something like "read-up", -etc. If I were to compare that with the Trusted Solaris type policy -mechanism, there was no such mechanism. Our DB would have to perform -the dominance check for an operation, then decide ourselves if the user -had sufficient authorizations to violate B&L. With the current -SELinux MLS policy, all of that is done with one access check. The mac -override type privilege you would see in TSol 8, etc would allow a -process to perform some operation while ignoring the mac policy. This -does not help our DB make a policy decision on a subject as they access -a DBMS object.<br> -<blockquote cite="mid:49D2812B.50504@manicmethod.com" type="cite"> - <pre wrap="">mlsdbread is an attribute that you -give to domains that can violate this particular MLS constraint. Rather than -having a generic MAC_OVERRIDE like other MLS implementations we went with finer -grained overrides, you can see them all in kernel/mls.te. - </pre> -</blockquote> -Yep, thats where i got the example above. Our past approach was to -disallow any mac override directly and let them change their session -level. We would then restrict them to read or read/write depending on -their authorizations. The selinux mechanism is better as, by its -nature, it may target specific objects, specific subjects, and specific -overrides.<br> -<blockquote cite="mid:49D2812B.50504@manicmethod.com" type="cite"> - <pre wrap=""> -there are also interfaces in mls.if to do the various overrides (rather than -adding the attribute yourself), for example if you wanted foo_t to be able to -read files of all levels you could call: - -mls_file_read_all_levels(foo_t) - -<a class="moz-txt-link-freetext" href="http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html">http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html</a> - - </pre> -</blockquote> -</body> -</html> diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 4d5ce0e..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,2 +0,0 @@ -Content-Type: text/html; charset=ISO-2022-JP -Content-Transfer-Encoding: 7bit diff --git a/a/content_digest b/N1/content_digest index 3d01a3b..e127b38 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -5,16 +5,11 @@ "ref\049D27E6C.5000106@kaigai.gr.jp\0" "ref\049D27F77.4040906@rubix.com\0" "ref\049D2812B.50504@manicmethod.com\0" - "From\0Andy Warner <warner@rubix.com>\0" - "Subject\0Re: [RFC] Security policy reworks for SE-PostgreSQL\0" + "From\0warner@rubix.com (Andy Warner)\0" + "Subject\0[refpolicy] [RFC] Security policy reworks for SE-PostgreSQL\0" "Date\0Tue, 31 Mar 2009 23:08:38 +0200\0" - "To\0Joshua Brindle <method@manicmethod.com>\0" - "Cc\0KaiGai Kohei <kaigai@kaigai.gr.jp>" - KaiGai Kohei <kaigai@ak.jp.nec.com> - cpebenito@tresys.com - selinux@tycho.nsa.gov - " refpolicy@oss.tresys.com\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" "\n" "\n" @@ -97,119 +92,9 @@ ">\n" "> http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html\n" ">\n" - > - "\01:2\0" - "b\0" - "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n" - "<html>\n" - "<head>\n" - " <meta content=\"text/html;charset=ISO-2022-JP\"\n" - " http-equiv=\"Content-Type\">\n" - "</head>\n" - "<body bgcolor=\"#ffffff\" text=\"#000000\">\n" - "<br>\n" - "<br>\n" - "Joshua Brindle wrote:\n" - "<blockquote cite=\"mid:49D2812B.50504@manicmethod.com\" type=\"cite\">\n" - " <pre wrap=\"\">Andy Warner wrote:\n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">\n" - "KaiGai Kohei wrote:\n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">I am referring to things like:\n" - "\n" - "mlsconstrain { db_tuple } { use select }\n" - " (( l1 dom l2 ) or\n" - " (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - " ( t1 == mlsdbread ) or\n" - " ( t2 == mlstrustedobject ));\n" - " \n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\">I noticed the db_xxx:{use} permission remained here. :-)\n" - " \n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\">The example I used above is from an older version of the reference policy.\n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\"> \n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">where t1 == mlsdbread seems to imply an object is trusted to read \n" - "strictly dominating objects. Unless I am missing the meaning here, I \n" - "would call this a MAC override. I realize there is no concept of a TE \n" - "override, but MLS is part of MAC, no? And, this violates B&L rules. This \n" - "is something we would control with a Security Administrator \"role\". Or, \n" - "is this mlsdbread something that is impossible to give to a domain in a \n" - "DBMS policy?\n" - " \n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\">It is different from my usage of terms.\n" - "Some of domains are allowed to access the tuple, and others are\n" - "disallowed as the result of access controls using the security\n" - "policy.\n" - "\n" - "I understood the term of \"MAC override\" to express what actions\n" - "are allowed without any checks based on security policy, as if\n" - "root stuff can ignore DAC checks.\n" - " \n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\">Ya, definitions, definitions :-) Coming from an MLS world, MAC override \n" - "meant superseding the B&L policy. In a general sense we use special \n" - "authorizations for that (our Security Admin role), while SELinux has a \n" - "built in mechanism (mlsdbread)\n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\"><!---->\n" - "SELinux doesn't have a built in mechanism, </pre>\n" - "</blockquote>\n" - "<br>\n" - "By built in mechanism I meant exactly what you describe below. Maybe it\n" - "wasn't the best choice of words. The SELinux policy (the MLS policy)\n" - "provides a mechanism for the policy writer to assign the ability to\n" - "violate B&L information flow. Thus, it would be redundant for the\n" - "db_database object to have a permissions for something like \"read-up\",\n" - "etc. If I were to compare that with the Trusted Solaris type policy\n" - "mechanism, there was no such mechanism. Our DB would have to perform\n" - "the dominance check for an operation, then decide ourselves if the user\n" - "had sufficient authorizations to violate B&L. With the current\n" - "SELinux MLS policy, all of that is done with one access check. The mac\n" - "override type privilege you would see in TSol 8, etc would allow a\n" - "process to perform some operation while ignoring the mac policy. This\n" - "does not help our DB make a policy decision on a subject as they access\n" - "a DBMS object.<br>\n" - "<blockquote cite=\"mid:49D2812B.50504@manicmethod.com\" type=\"cite\">\n" - " <pre wrap=\"\">mlsdbread is an attribute that you\n" - "give to domains that can violate this particular MLS constraint. Rather than\n" - "having a generic MAC_OVERRIDE like other MLS implementations we went with finer\n" - "grained overrides, you can see them all in kernel/mls.te.\n" - " </pre>\n" - "</blockquote>\n" - "Yep, thats where i got the example above. Our past approach was to\n" - "disallow any mac override directly and let them change their session\n" - "level. We would then restrict them to read or read/write depending on\n" - "their authorizations. The selinux mechanism is better as, by its\n" - "nature, it may target specific objects, specific subjects, and specific\n" - "overrides.<br>\n" - "<blockquote cite=\"mid:49D2812B.50504@manicmethod.com\" type=\"cite\">\n" - " <pre wrap=\"\">\n" - "there are also interfaces in mls.if to do the various overrides (rather than\n" - "adding the attribute yourself), for example if you wanted foo_t to be able to\n" - "read files of all levels you could call:\n" - "\n" - "mls_file_read_all_levels(foo_t)\n" - "\n" - "<a class=\"moz-txt-link-freetext\" href=\"http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html\">http://oss.tresys.com/docs/refpolicy/api/kernel_mls.html</a>\n" - "\n" - " </pre>\n" - "</blockquote>\n" - "</body>\n" - "</html>\n" + "> \n" + "-------------- next part --------------\n" + "An HTML attachment was scrubbed...\n" + URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090331/46c8b960/attachment.html -73e84bddcf1830e9f3b784d00b62cca2c08f7701eae832f76e624e48022ac450 +4787c40daa5aca71bc0bd0d2d39dee42ae165d1b5f2e8abb98952f09f0c09585
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.