From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, Eamon Walsh <ewalsh@tycho.nsa.gov>
Subject: Re: [RFC][PATCH] selinux: dynamic class/perm discovery
Date: Wed, 30 Sep 2009 11:47:17 +0900 [thread overview]
Message-ID: <4AC2C6B5.5020707@ak.jp.nec.com> (raw)
In-Reply-To: <1254149650.14478.31.camel@moss-pluto.epoch.ncsc.mil>
>> * May be a short-tempered requirement.
>>
>> It will be preferable, if userspace object manager can make a query
>> using object class and access vectors with text representation, not
>> the results of string_to_security_class(), because userspaces cannot
>> make sure the string_to_security_class() and security_compute_av()
>> are handled atomically.
>>
>> The security policy may be reloaded between the string_to_security_class()
>> and security_compute_av() in a corner case.
>> BTW, SE-PostgreSQL checks sequencial number of security policy, and redo
>> checks if the security policy reloaded. But it is not perfect. The netlink
>> socket message can be delayed. :-(
>> http://code.google.com/p/sepgsql/source/browse/branches/pgsql-8.4.x/sepgsql/src/backend/security/sepgsql/avc.c#565
>>
>> If the text -> code translation and lookups of security policy can be done
>> within a single read_lock(&policy_rwlock) block, we can guarantee
>> security_compute_av() is not invoked based on incorrect object class code.
>
> We could either add a new node to selinuxfs that takes the string
> representation, or just modify the existing handler functions to
> automatically detect whether they were passed an integer or a string and
> act accordingly. But I'd view that as a separate follow-on patch.
Yes, I'll submit it later.
(But recent my workroad is high due to the pgsql-hackers...)
Maybe, userspace application or libselinux wrapper will write into
a new selinuxfs node as follows:
IN -> "system_u:system_r:httpd_t:s0 system_u:object_r:sepgsql_table_t:s0 db_table"
OUT <- "allowed:getattr,select,update,insert,delete auditallow: auditdeny:(snip)"
It is important symbolic identifiers are used in both of input/output.
If kernel returns code of the access vectors, it makes nonsense.
It's just an idea. Please don't heat up this topic now.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-09-30 2:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-23 20:53 [RFC][PATCH] selinux: dynamic class/perm discovery Stephen Smalley
2009-09-24 8:41 ` KaiGai Kohei
2009-09-28 14:54 ` Stephen Smalley
2009-09-30 2:47 ` KaiGai Kohei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AC2C6B5.5020707@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.