From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: SELinux <selinux@tycho.nsa.gov>
Subject: Re: type bounds for files?
Date: Thu, 16 Dec 2010 09:26:00 +0900 [thread overview]
Message-ID: <4D095C98.5050106@ak.jp.nec.com> (raw)
In-Reply-To: <20101215203720.GH18729@myhost.felk.cvut.cz>
(2010/12/16 5:37), Michal Svoboda wrote:
> Hello,
>
> let's say I have a www service that's run through apache/selinux+ with
> its own domain say foo_t. The domain has write access to some files with
> type foo_data_t (which is files_type) through an allow rule.
>
> Now, due to the 'typebound httpd_t foo_t' rule used with apache domains,
> I would normally also have to 'allow httpd_t foo_data_t : file ...'.
>
> But today I saw another solution at work, which used an oddball rule
> where the foo_data_t was type bounded by another files_type, something
> like 'typebound http_user_data_t foo_data_t' (don't remember the
> bounding type's name exactly). This would make the www service work the
> expected way without the need for 'allow httpd_t foo_data_t : file ...'.
>
> Is this a known behavior? What is the sense in typebounding file types?
>
Yes, it is known. We had a similar discussion before:
http://marc.info/?l=selinux&m=126771862818496&w=2
The type-boundary feature is originated from type-hierarchy feature
which has been supported in checkpolicy for several years.
Joshua said:
| The original hierarchy specified that if httpd_t had e.g., write access
| to httpd_sys_content_t then webapp_t could be given write access to
| webapp_content_t without httpd_t having direct access to webapp_content_t.
|
| This was done so that, in policy access controls, parents could be
| decoupled from children while still allowing child subjects to access
| child objects. One application of this was to have parents that,
| themselves, did not have access to children objects (or were not active
| at all).
It seems to me your use cases are right.
Maybe, the term of 'boundary' might make us hard to imagine this type
of functionality.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-12-16 0:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-15 20:37 type bounds for files? Michal Svoboda
2010-12-16 0:26 ` KaiGai Kohei [this message]
2010-12-16 10:14 ` Michal Svoboda
2010-12-16 19:01 ` Chad Sellers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D095C98.5050106@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.