From: Casey Schaufler <casey@schaufler-ca.com>
To: Yuri L Volobuev <volobuev@us.ibm.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
selinux@davequigley.com, SELinux@tycho.nsa.gov,
swhiteho@redhat.com, Eric Paris <eparis@parisplace.org>
Subject: Re: inode security state and cluster file systems
Date: Fri, 18 Feb 2011 11:07:08 -0800 [thread overview]
Message-ID: <4D5EC35C.4050103@schaufler-ca.com> (raw)
In-Reply-To: <1298046341.23592.16.camel@moss-pluto>
On 2/18/2011 8:25 AM, Stephen Smalley wrote:
> On Fri, 2011-02-18 at 10:15 -0600, Yuri L Volobuev wrote:
>> The logical place to make this call would be at d_revalidate time.
>> The new value of the security context is not readily available at
>> that time, as described above. Technically speaking, the file system
>> code could know the new context -- it can do a getxattr, which would
>> return the up-to-date label content. However, this would require
>> knowing the security label xattr name, which is not readily available
>> in RHEL6. (I actually had the code working with correct semantics on
>> RHEL5, which has security_inode_xattr_getsuffix(), but it would be
>> fair to say that it was hacking around the API rather than leveraging
>> it as intended).
>>
>> Hope it makes things clearer.
> Yes, thanks. One lingering concern then is that we revalidate
> permissions on read/write via security_file_permission ->
> selinux_file_permission. Within selinux_file_permission, we check
> whether the task SID, inode SID, or policy has changed since the file
> was opened, and if so, we recheck permissions. If you only make the
> call at d_revalidate time, then we'll only update the inode sid on next
> lookup and thus ongoing reads/writes on an already open file will
> continue to succeed even if they should be denied by policy until some
> process on that node attempts another lookup.
Would you be so kind as to move this discussion to
linux-security-module@vger.kernel.org so as to include
the LSM community as a whole?
Thank you.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-02-18 19:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-18 3:08 inode security state and cluster file systems Yuri L Volobuev
2011-02-18 13:28 ` Stephen Smalley
2011-02-18 13:35 ` Stephen Smalley
2011-02-18 15:18 ` Eric Paris
2011-02-18 16:15 ` Yuri L Volobuev
2011-02-18 16:25 ` Stephen Smalley
2011-02-18 19:07 ` Casey Schaufler [this message]
2011-02-18 20:42 ` Yuri L Volobuev
2011-02-18 22:39 ` Eric Paris
2011-02-18 22:40 ` Eric Paris
2011-02-20 20:16 ` Casey Schaufler
2011-02-21 19:56 ` Eric Paris
2011-02-22 3:57 ` Casey Schaufler
2011-02-22 15:25 ` Yuri L Volobuev
2011-02-22 16:05 ` Eric Paris
2011-02-22 22:17 ` Yuri L Volobuev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D5EC35C.4050103@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=SELinux@tycho.nsa.gov \
--cc=eparis@parisplace.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@davequigley.com \
--cc=swhiteho@redhat.com \
--cc=volobuev@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.