From: Stephen Smalley <sds@tycho.nsa.gov>
To: Victor Porton <porton@narod.ru>,
Eric Paris <eparis@parisplace.org>,
Casey Schaufler <casey@schaufler-ca.com>
Cc: LSM List <linux-security-module@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
James Morris <james.l.morris@oracle.com>,
SELinux <selinux@tycho.nsa.gov>
Subject: Re: SELinux question..
Date: Wed, 05 Feb 2014 09:47:55 -0500 [thread overview]
Message-ID: <52F24F1B.4050009@tycho.nsa.gov> (raw)
In-Reply-To: <10921391611264@web22m.yandex.ru>
On 02/05/2014 09:41 AM, Victor Porton wrote:
> MCS also has a use in sandboxing:
>
> http://portonsoft.wordpress.com/2014/01/11/toward-robust-linux-sandbox/
>
> By the way, it would help if you allow more than 1024 categories.
>
> It is a good idea to build a category from the process ID of the calling program.
>
> It can nevertheless be done with the current kernel assigning SEVERAL categories to MCS, having the list of categories determined by the process ID. But calculating several categories from one process ID is silly.
>
> If I'd take the decision, I would allow any (possibly 64 bit) number as a category in MCS. Thus we would just pass process ID to SELinux when programming the sandbox.
>
> P.S. Debian yet does not work well with enforcing SELinux. For this reason I have lied aside my project related with sandboxing for an indefinite time (until SELinux will work with my Debian).
Number of categories is policy-defined, not hardcoded, but there are
some current implementation aspects that make it more costly than it
should be to greatly expand them. Besides, it is trivial to encode IDs
as category sets and this is already demonstrated through a variety of
existing implementations (at least openshift and Android, don't recall
if svirt and/or sandbox do the same).
next prev parent reply other threads:[~2014-02-05 14:47 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+55aFyaBZsF7u+Ka=0PRXQyF-vPyejgysoLsPAZdyf6Qn1KdA@mail.gmail.com>
[not found] ` <52F17412.3010105@schaufler-ca.com>
[not found] ` <CACLa4pvZXRBSOXGnvcfnMWc-ZxcFwZQDjy7gfSDKWCeXiNCJxQ@mail.gmail.com>
2014-02-05 14:09 ` SELinux question Stephen Smalley
2014-02-05 14:41 ` Victor Porton
2014-02-05 14:47 ` Stephen Smalley [this message]
2014-02-05 16:41 ` Paul Moore
[not found] <20020717025148.GA25379@snoopy.apana.org.au>
2002-07-23 13:19 ` selinux question Russell Coker
2002-07-23 14:03 ` Stephen Smalley
2002-07-23 15:05 ` Russell Coker
2002-07-24 0:25 ` Brian May
2002-07-24 0:32 ` Russell Coker
2001-02-12 18:58 SeLinux Question Westerman, Mark
2001-02-12 14:40 ` Jen Salois
2001-02-12 19:13 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52F24F1B.4050009@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey@schaufler-ca.com \
--cc=eparis@parisplace.org \
--cc=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
--cc=porton@narod.ru \
--cc=selinux@tycho.nsa.gov \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.