From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7CL2OJ028921
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 07:21:02 -0500
Received: from nm20.bullet.mail.ne1.yahoo.com (localhost [127.0.0.1])
	by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with SMTP id oA7CL16w011742
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 12:21:01 GMT
Message-ID: <182838.53024.qm@web110814.mail.gq1.yahoo.com>
Date: Sun, 7 Nov 2010 04:20:59 -0800 (PST)
From: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>
Subject: temporal role base access control in Linux
To: SELinux <selinux@tycho.nsa.gov>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-742494366-1289132459=:53024"
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

--0-742494366-1289132459=:53024
Content-Type: text/plain; charset=us-ascii

Hi,
I want to enforce temporal role base access control to Fedora10 platform. 
Therefore, I have written a piece of code which receives simple temporal policy 
rules and updates a file in which disallowed roles are being kept. In order to 
attach the code to the fedora core, I am making use of SELinux modules. I wonder 
if avc_has_perm(...) function in /libselinex/src/avc.c can be the right place 
for using my code where requests will be granted or denied access. Actually, I 
had thought about getting the role field from the security_id_t (@ssid) and 
compare it with the denied roles that my code computes. If I`m wrong and this 
will not work out, is there any other suggestions for attaching my code to 
SELinux?  


Best regards,
Behnaz 


      
--0-742494366-1289132459=:53024
Content-Type: text/html; charset=us-ascii

<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div>Hi,<br>I want to enforce temporal role base access control to Fedora10 platform. Therefore, I have written a piece of code which receives simple temporal policy rules and updates a file in which disallowed roles are being kept. In order to attach the code to the fedora core, I am making use of SELinux modules. I wonder if avc_has_perm(...) function in /libselinex/src/avc.c can be the right place for using my code where requests will be granted or denied access. Actually, I had thought about getting the role field from the security_id_t (@ssid) and compare it with the denied roles that my code computes. If I`m wrong and this will not work out, is there any other suggestions for attaching my code to SELinux?&nbsp; <br><br>Best regards,<br>Behnaz <br><br></div>
</div><br>







      </body></html>
--0-742494366-1289132459=:53024--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7Ee0FV001235
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 09:40:00 -0500
Received: from c-sl428.itechfrontiers.net (localhost [127.0.0.1])
	by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id oA7Edx6w005217
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 14:39:59 GMT
Message-ID: <4CD6BA38.10202@itechfrontiers.com>
Date: Sun, 07 Nov 2010 09:39:52 -0500
From: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
MIME-Version: 1.0
To: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>
CC: SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
References: <182838.53024.qm@web110814.mail.gq1.yahoo.com>
In-Reply-To: <182838.53024.qm@web110814.mail.gq1.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

Hello,

avc_has perm()  is for checking if permissions are granted or not 
(Access Vector Cache),

A proper method of extending security functionality would be using LSM 
APIs and SELinux Hooks  (LSM: Linux Security Module)

http://www.nsa.gov/research/_files/selinux/papers/module/x280.shtml

But TRBAC can be simulated with SELinux even without writing specific 
code or modifying SELinux, by combining appropriate predefined set of 
policies and a scheduler process or hierarchical scheduler with enough 
(higher) privileges to load policies on the fly,

Of course if such usage does not need atomic role/policy entry (I don't 
see any practical use for such atomic role entry anyway)

You can find more on implementation here:
http://selinuxproject.org/page/NB_LSM


I'm sorry but with all due respects, I don't know if helping people in 
Iran on the subject is legal or not (I'm not a Lawyer) but judging from 
sources of your mail (which is Iran), I prefer not to be involved in any 
particular help.

Anyway this is a project develped primarily by the National Security 
Agency of the USA, and its contributors.



Yours,

Patrick K.




On 11/7/2010 7:20 AM, Behnaz Hassanshahi wrote:
> Hi,
> I want to enforce temporal role base access control to Fedora10
> platform. Therefore, I have written a piece of code which receives
> simple temporal policy rules and updates a file in which disallowed
> roles are being kept. In order to attach the code to the fedora core, I
> am making use of SELinux modules. I wonder if avc_has_perm(...) function
> in /libselinex/src/avc.c can be the right place for using my code where
> requests will be granted or denied access. Actually, I had thought about
> getting the role field from the security_id_t (@ssid) and compare it
> with the denied roles that my code computes. If I`m wrong and this will
> not work out, is there any other suggestions for attaching my code to
> SELinux?
>
> Best regards,
> Behnaz
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7FbQfm003299
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 10:37:26 -0500
Received: from outbound.icp-qv1-irony-out1.iinet.net.au (localhost [127.0.0.1])
	by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id oA7FbNDw010304
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 15:37:25 GMT
Message-ID: <4CD6C7B0.90305@ii.net>
Date: Sun, 07 Nov 2010 23:37:20 +0800
From: Cliffe <cliffe@ii.net>
MIME-Version: 1.0
To: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
CC: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>,
        SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
References: <182838.53024.qm@web110814.mail.gq1.yahoo.com> <4CD6BA38.10202@itechfrontiers.com>
In-Reply-To: <4CD6BA38.10202@itechfrontiers.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

On 7/11/2010 10:39 PM, cto@itechfrontiers.com wrote:
> I'm sorry but with all due respects, I don't know if helping people in 
> Iran on the subject is legal or not (I'm not a Lawyer) but judging 
> from sources of your mail (which is Iran), I prefer not to be involved 
> in any particular help.
I have never heard anything that has suggested that there have ever been 
US export laws regarding access control software, let alone helping 
someone set up their free open source security software (please let me 
know if you have heard otherwise). It has been 10 years since US 
cryptography export laws have relaxed (and maybe they still apply to 
embargoed destinations).

Just a quick google:
"controls on encryption did not apply to cryptographic equipment and 
software if their functionality was limited to any of the following nine 
categories:" ... "(5) Access control devices such as ATMs;"
> Anyway this is a project develped primarily by the National Security 
> Agency of the USA, and its contributors.
That does not seem relevant to me...

Cliffe.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7GVFj1005460
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 11:31:24 -0500
Received: from c-sl428.itechfrontiers.net (localhost [127.0.0.1])
	by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id oA7GVF03017483
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 16:31:16 GMT
Message-ID: <4CD6D454.3040709@itechfrontiers.com>
Date: Sun, 07 Nov 2010 11:31:16 -0500
From: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
MIME-Version: 1.0
To: Cliffe <cliffe@ii.net>
CC: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>,
        SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
References: <182838.53024.qm@web110814.mail.gq1.yahoo.com> <4CD6BA38.10202@itechfrontiers.com> <4CD6C7B0.90305@ii.net>
In-Reply-To: <4CD6C7B0.90305@ii.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

Hello Cliffe,

I Believe, I  provided enough information to be able to achieve what has 
been asked here.

Anyway I'm bound to the US rules and abide and respect them, and 
definitely am not a Lawyer, however my concern was not EAR (Export 
Administration Regulations) the law is much more complicated than just 
an export control regulation,

By considering the source of the message coming from a known University 
in Iran working on dual purpose subjects, I personally prefer not to 
help particularly (on implementation basis), and I think I have such right.

Tried to help as much as I could.

Providing legal advice requires attorney-client privilege/relationship 
and I don't think just Google search result would be enough in such case.

Anyway this is not a legal mailing list, technical aspects have been 
covered as much as it should, if you would like you may add additional 
notes.

Best Regards,

Patrick K.


On 11/7/2010 10:37 AM, Cliffe wrote:
> On 7/11/2010 10:39 PM, cto@itechfrontiers.com wrote:
>> I'm sorry but with all due respects, I don't know if helping people in
>> Iran on the subject is legal or not (I'm not a Lawyer) but judging
>> from sources of your mail (which is Iran), I prefer not to be involved
>> in any particular help.
> I have never heard anything that has suggested that there have ever been
> US export laws regarding access control software, let alone helping
> someone set up their free open source security software (please let me
> know if you have heard otherwise). It has been 10 years since US
> cryptography export laws have relaxed (and maybe they still apply to
> embargoed destinations).
>
> Just a quick google:
> "controls on encryption did not apply to cryptographic equipment and
> software if their functionality was limited to any of the following nine
> categories:" ... "(5) Access control devices such as ATMs;"
>> Anyway this is a project develped primarily by the National Security
>> Agency of the USA, and its contributors.
> That does not seem relevant to me...
>
> Cliffe.
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7Goq4H006346
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 11:50:52 -0500
Received: from outbound.icp-qv1-irony-out1.iinet.net.au (localhost [127.0.0.1])
	by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id oA7Gon03019625
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 16:50:50 GMT
Message-ID: <4CD6D8E8.5060108@ii.net>
Date: Mon, 08 Nov 2010 00:50:48 +0800
From: Cliffe <cliffe@ii.net>
MIME-Version: 1.0
To: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
CC: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>,
        SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
References: <182838.53024.qm@web110814.mail.gq1.yahoo.com> <4CD6BA38.10202@itechfrontiers.com> <4CD6C7B0.90305@ii.net> <4CD6D454.3040709@itechfrontiers.com>
In-Reply-To: <4CD6D454.3040709@itechfrontiers.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

Hi Patrick,

No worries. Yes, I am not a lawyer. It is obviously entirely your 
prerogative, and I am not criticising the help you provided. To be 
honest, I just found it strange that you would choose to point out what 
country they were from and who SELinux was developed by, as if that made 
them less entitled to help with an open source project. Sorry if you 
feel I overreacted.

I don't have anything to add to your implementation suggestions, thanks 
for sharing.

Cliffe.

On 8/11/2010 12:31 AM, cto@itechfrontiers.com wrote:
> Hello Cliffe,
>
> I Believe, I  provided enough information to be able to achieve what 
> has been asked here.
>
> Anyway I'm bound to the US rules and abide and respect them, and 
> definitely am not a Lawyer, however my concern was not EAR (Export 
> Administration Regulations) the law is much more complicated than just 
> an export control regulation,
>
> By considering the source of the message coming from a known 
> University in Iran working on dual purpose subjects, I personally 
> prefer not to help particularly (on implementation basis), and I think 
> I have such right.
>
> Tried to help as much as I could.
>
> Providing legal advice requires attorney-client privilege/relationship 
> and I don't think just Google search result would be enough in such case.
>
> Anyway this is not a legal mailing list, technical aspects have been 
> covered as much as it should, if you would like you may add additional 
> notes.
>
> Best Regards,
>
> Patrick K.
>
>
> On 11/7/2010 10:37 AM, Cliffe wrote:
>> On 7/11/2010 10:39 PM, cto@itechfrontiers.com wrote:
>>> I'm sorry but with all due respects, I don't know if helping people in
>>> Iran on the subject is legal or not (I'm not a Lawyer) but judging
>>> from sources of your mail (which is Iran), I prefer not to be involved
>>> in any particular help.
>> I have never heard anything that has suggested that there have ever been
>> US export laws regarding access control software, let alone helping
>> someone set up their free open source security software (please let me
>> know if you have heard otherwise). It has been 10 years since US
>> cryptography export laws have relaxed (and maybe they still apply to
>> embargoed destinations).
>>
>> Just a quick google:
>> "controls on encryption did not apply to cryptographic equipment and
>> software if their functionality was limited to any of the following nine
>> categories:" ... "(5) Access control devices such as ATMs;"
>>> Anyway this is a project develped primarily by the National Security
>>> Agency of the USA, and its contributors.
>> That does not seem relevant to me...
>>
>> Cliffe.
>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250])
	by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id oA7HiRql008349
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 12:44:28 -0500
Received: from c-sl428.itechfrontiers.net (localhost [127.0.0.1])
	by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id oA7HiQNI001423
	for <selinux@tycho.nsa.gov>; Sun, 7 Nov 2010 17:44:27 GMT
Message-ID: <4CD6E57E.5090101@itechfrontiers.com>
Date: Sun, 07 Nov 2010 12:44:30 -0500
From: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
MIME-Version: 1.0
To: Cliffe <cliffe@ii.net>
CC: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>,
        SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
References: <182838.53024.qm@web110814.mail.gq1.yahoo.com> <4CD6BA38.10202@itechfrontiers.com> <4CD6C7B0.90305@ii.net> <4CD6D454.3040709@itechfrontiers.com> <4CD6D8E8.5060108@ii.net>
In-Reply-To: <4CD6D8E8.5060108@ii.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Sender: owner-selinux@tycho.nsa.gov
List-Id: selinux@tycho.nsa.gov

Hi Cliffe,

Not at all, Just sharing point of views, anyway I learn everyday,

I think better not to go off topic and explain a little bit more:

TRBAC  =  Temporal Role-Based Access Control
TRBAC = Time constraint/periodic roles/events (Activate-deactivate) + 
their triggers + RBAC


I wrote it can be SIMULATED using pure SELinux, becasue:

if the triggers do not need to be atomic role entries, in example it 
does not need to be an inline IPS/IDS changing roles in fraction of 
minute/second;

but the event triggers are longer to deal with, in example changing 
personnel shifts (longer time frame),

Then a simple SIMULATION with SELinux would be:

1) Create/generate different policies and their dependencies for 
different events, (The program even can try to generate these on the fly)
2) create a task scheduler or event handler or hierarchical scheduler
3) load/replace generated policies using above task scheduler/event 
handler/hierarchical scheduler based on triggers and events

* Virtually Much like and administrative job automation

* This event handler needs to have higher privileges for loading 
policies (MAC wise)

* This can be done without applying modification to SELinux

* All above can also be done using LSM APIs/SELinux Hooks/APIs as I 
posted their links on my first reply before too (much more complicated 
of course)


NOTICE: In real life scenarios, SELinux itself is complicated enough in 
practice to generate policies that as you all know it is used for 
targeted processes, not everything, so the concept of applying this to 
targeted processes in practice is inherited by TRBAC on top of SELinux

One may want to develop genuine TRBAC, then stick to LSM (Linux Security 
Module) as a standard security interface with Linux kernel.


Best Regards,

Patrick K.


On 11/7/2010 11:50 AM, Cliffe wrote:
> Hi Patrick,
>
> No worries. Yes, I am not a lawyer. It is obviously entirely your
> prerogative, and I am not criticising the help you provided. To be
> honest, I just found it strange that you would choose to point out what
> country they were from and who SELinux was developed by, as if that made
> them less entitled to help with an open source project. Sorry if you
> feel I overreacted.
>
> I don't have anything to add to your implementation suggestions, thanks
> for sharing.
>
> Cliffe.
>
> On 8/11/2010 12:31 AM, cto@itechfrontiers.com wrote:
>> Hello Cliffe,
>>
>> I Believe, I provided enough information to be able to achieve what
>> has been asked here.
>>
>> Anyway I'm bound to the US rules and abide and respect them, and
>> definitely am not a Lawyer, however my concern was not EAR (Export
>> Administration Regulations) the law is much more complicated than just
>> an export control regulation,
>>
>> By considering the source of the message coming from a known
>> University in Iran working on dual purpose subjects, I personally
>> prefer not to help particularly (on implementation basis), and I think
>> I have such right.
>>
>> Tried to help as much as I could.
>>
>> Providing legal advice requires attorney-client privilege/relationship
>> and I don't think just Google search result would be enough in such case.
>>
>> Anyway this is not a legal mailing list, technical aspects have been
>> covered as much as it should, if you would like you may add additional
>> notes.
>>
>> Best Regards,
>>
>> Patrick K.
>>
>>
>> On 11/7/2010 10:37 AM, Cliffe wrote:
>>> On 7/11/2010 10:39 PM, cto@itechfrontiers.com wrote:
>>>> I'm sorry but with all due respects, I don't know if helping people in
>>>> Iran on the subject is legal or not (I'm not a Lawyer) but judging
>>>> from sources of your mail (which is Iran), I prefer not to be involved
>>>> in any particular help.
>>> I have never heard anything that has suggested that there have ever been
>>> US export laws regarding access control software, let alone helping
>>> someone set up their free open source security software (please let me
>>> know if you have heard otherwise). It has been 10 years since US
>>> cryptography export laws have relaxed (and maybe they still apply to
>>> embargoed destinations).
>>>
>>> Just a quick google:
>>> "controls on encryption did not apply to cryptographic equipment and
>>> software if their functionality was limited to any of the following nine
>>> categories:" ... "(5) Access control devices such as ATMs;"
>>>> Anyway this is a project develped primarily by the National Security
>>>> Agency of the USA, and its contributors.
>>> That does not seem relevant to me...
>>>
>>> Cliffe.
>>>
>>>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.