From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Oprala <ooprala@redhat.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: ipc security context
Date: Thu, 11 Apr 2013 16:16:42 -0400 [thread overview]
Message-ID: <51671A2A.9010905@tycho.nsa.gov> (raw)
In-Reply-To: <5166AD29.60901@redhat.com>
On 04/11/2013 08:31 AM, Ondrej Oprala wrote:
> Hi,
> is it possible to get/set a security context per separate IPC objects?
> As far as my googling got me, it seems IPCs are the same context
> as process creation, so I'm guessing I should probably be able
> to get some info about a shared memory segment for example, by passing
> lpid to getpidcon. Are my assumptions correct or am I completely off the
> chart?
> I'd be very thankful for any clarification.
If you truly need to programmatically get the security context of an IPC
object, I'd suggest defining new command values for the *ctl() functions
that copy out the security context of the IPC object. That's a kernel
change of course.
If you just want to see the security contexts of some IPC objects, then
you can likely just turn on syscall audit and define some audit filters
to trigger collection and auditing of the ipc object information,
including its security context. Or you might try defining auditallow
rules for the relevant domain(s) with the ipc object security classes in
your policy.
Looking up the security context from the pid may work in some cases, but
won't be reliable. In the case of shm, I think you'd want cpid rather
than lpid, but even that won't guarantee it is still the same.
It would be better to have real APIs for getting the security context.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-04-11 20:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-11 12:31 ipc security context Ondrej Oprala
2013-04-11 20:16 ` Stephen Smalley [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-09-07 19:52 IPC " andy.suchoski
2006-09-07 20:13 ` Stephen Smalley
2006-09-07 21:05 ` Steve G
2006-09-08 0:05 ` Russell Coker
2006-09-08 13:25 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51671A2A.9010905@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=ooprala@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.