All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Eric Paris <eparis@parisplace.org>
Cc: Yuri L Volobuev <volobuev@us.ibm.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	SELinux@tycho.nsa.gov, selinux@davequigley.com,
	swhiteho@redhat.com, Mark Fasheh <mfasheh@suse.com>,
	Joel Becker <jlbec@evilplan.org>,
	LSM List <linux-security-module@vger.kernel.org>,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: inode security state and cluster file systems
Date: Mon, 21 Feb 2011 19:57:05 -0800	[thread overview]
Message-ID: <4D633411.1020004@schaufler-ca.com> (raw)
In-Reply-To: <AANLkTimE5_WdsVVp-LtTGYoUMGstW7H1poj8o6PdWow-@mail.gmail.com>

On 2/21/2011 11:56 AM, Eric Paris wrote:
> On Sun, Feb 20, 2011 at 3:16 PM, Casey Schaufler <casey@schaufler-ca.com> wrote:
>> On 2/18/2011 2:40 PM, Eric Paris wrote:
>>>> If we made the invalidation point an explicit refresh of the label at
>>>> least the filesystems would be able to control both of those
>>>> problems.....
>> So far the only case that has been discussed is one in which there
>> is one security attribute on the file. While we don't have it yet there
>> are a couple of efforts underway to support multiple concurrent LSMs.
>> It is also plausible for an LSM to use more than one security attribute
>> on a given file. An approach based on a secid interface may not work
>> in either scenario. If you want a comparative example, look at directory
>> default ACLs, which are important security information, but are nor used
>> to make access decisions on the object to which they are attached.
> I'm still leaning towards a solution in which the filesystem needs to
> tell the LSM that it's labels are invalid (I suggest that be done on
> any change in the security.* namespace) and that same call needs to
> cause the LSM to refresh its labels.  I seem to think that such a call
> would work just fine with any LSM stacker or even
> multi-attribute/multi-label LSM (which uses the security.* namespace).

Yes, this seems completely reasonable and equally annoying for all
concerned. I think that it would be a good idea to pass the name of
the attribute changed (e.g. "SMACK64") so that the LSM(s) can decide
if it(they) need take action.


> The biggest problem is if the 3 cluster filesystems in question can
> handle an interface that requires a dentry

If they can't I think that the LSM can get the dentry from an inode,
although it is not convenient. Hmm. A brief look at code indicates
that this may not be easy for the LSM. So it looks as if the filesystem
might have to pass dentrys.

>  and if they can handle the
> fact that we do permissions checks on read/write and would like those
> operations to start failing immediately if another node changed the
> label.  I really don't see any other way to solve the problem....

Distributed systems are tricky. That's one reason I work in security,
it is so much simpler.

> -Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2011-02-22  3:57 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-02-18  3:08 inode security state and cluster file systems Yuri L Volobuev
2011-02-18 13:28 ` Stephen Smalley
2011-02-18 13:35   ` Stephen Smalley
2011-02-18 15:18     ` Eric Paris
2011-02-18 16:15   ` Yuri L Volobuev
2011-02-18 16:25     ` Stephen Smalley
2011-02-18 19:07       ` Casey Schaufler
2011-02-18 20:42       ` Yuri L Volobuev
2011-02-18 22:39         ` Eric Paris
2011-02-18 22:40           ` Eric Paris
2011-02-20 20:16             ` Casey Schaufler
2011-02-21 19:56               ` Eric Paris
2011-02-22  3:57                 ` Casey Schaufler [this message]
2011-02-22 15:25                 ` Yuri L Volobuev
2011-02-22 16:05                   ` Eric Paris
2011-02-22 22:17                     ` Yuri L Volobuev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D633411.1020004@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=SELinux@tycho.nsa.gov \
    --cc=eparis@parisplace.org \
    --cc=jlbec@evilplan.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mfasheh@suse.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@davequigley.com \
    --cc=swhiteho@redhat.com \
    --cc=volobuev@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.