What do you mean by a 'domain'.

What do you mean by a 'domain'.

[dE]

Hi!

Sorry for the trival question; but on reading various SELinux resources, 
it appears everyone talks about some 'domain' but no one defines what is it.

So I wanna what what is a domain in SELinux.


Thank you!

Re: What do you mean by a 'domain'.

[Patrick K., ITF]

On 4/7/2014 5:24 AM, dE wrote:
> Hi!
>
> Sorry for the trival question; but on reading various SELinux resources,
> it appears everyone talks about some 'domain' but no one defines what is
> it.
>
> So I wanna what what is a domain in SELinux.
>
>
> Thank you!

Hello,

Generally a domain is a scope or realm, consisting of related contexts 
in which you define and operate your security components (depending on 
your security model) using a combination of:

SELinux  user, role, type and level (optionally, MLS sensitivity level)


Particularly, a domain is also used interchangeably with SELinux "type"

In addition, in RBAC (Role-based security model) to some extent a "role" 
can serve as an intermediary between domains (types) and be part of it.

Representations:

SELinux User :  SELinux Role :  SELinux Type :  Sensitivity Level
unconfined_u :  unconfined_r : unconfined_t  : s0-s0:c0.c1024


# ps -eZ
# ls -laZ




Best Regards,


-- 
  Patrick K.

Re: What do you mean by a 'domain'.

[Daniel J Walsh]

On 04/07/2014 05:52 AM, Patrick K., ITF wrote:
>
> On 4/7/2014 5:24 AM, dE wrote:
>> Hi!
>>
>> Sorry for the trival question; but on reading various SELinux resources,
>> it appears everyone talks about some 'domain' but no one defines what is
>> it.
>>
>> So I wanna what what is a domain in SELinux.
>>
>>
>> Thank you!
>
> Hello,
>
> Generally a domain is a scope or realm, consisting of related contexts
> in which you define and operate your security components (depending on
> your security model) using a combination of:
>
> SELinux  user, role, type and level (optionally, MLS sensitivity level)
>
>
> Particularly, a domain is also used interchangeably with SELinux "type"
>
> In addition, in RBAC (Role-based security model) to some extent a
> "role" can serve as an intermediary between domains (types) and be
> part of it.
>
> Representations:
>
> SELinux User :  SELinux Role :  SELinux Type :  Sensitivity Level
> unconfined_u :  unconfined_r : unconfined_t  : s0-s0:c0.c1024
>
>
> # ps -eZ
> # ls -laZ
>
>
>
>
> Best Regards,
>
>
I would describe a "Domain" as in SELinux type applied to a process as
opposed to a type  applied to an Object like a file, port, interface,
network ...

Re: What do you mean by a 'domain'.

[Stephen Smalley]

On 04/07/2014 05:24 AM, dE wrote:
> Hi!
> 
> Sorry for the trival question; but on reading various SELinux resources,
> it appears everyone talks about some 'domain' but no one defines what is
> it.
> 
> So I wanna what what is a domain in SELinux.

See:
http://www.nsa.gov/research/_files/selinux/papers/policy2/x86.shtml

Re: What do you mean by a 'domain'.

[dE]

On 04/07/14 17:24, Stephen Smalley wrote:
> On 04/07/2014 05:24 AM, dE wrote:
>> Hi!
>>
>> Sorry for the trival question; but on reading various SELinux resources,
>> it appears everyone talks about some 'domain' but no one defines what is
>> it.
>>
>> So I wanna what what is a domain in SELinux.
> See:
> http://www.nsa.gov/research/_files/selinux/papers/policy2/x86.shtml
>

So domain is a SELinux identifier of a process and it's not necessary to 
for each process to have a unique SELinux domain.

I didn't know NSA hosted docs also. Thanks! I'll refer to them instead.

Re: What do you mean by a 'domain'.

[Patrick K., ITF]

-- 
  Patrick K. Kashi, PhD
  CTO


On 4/7/2014 7:54 AM, Stephen Smalley wrote:
> On 04/07/2014 05:24 AM, dE wrote:
>> Hi!
>>
>> Sorry for the trival question; but on reading various SELinux resources,
>> it appears everyone talks about some 'domain' but no one defines what is
>> it.
>>
>> So I wanna what what is a domain in SELinux.
>
> See:
> http://www.nsa.gov/research/_files/selinux/papers/policy2/x86.shtml
>

The definition of the term "domain" in "Type Enforcement model" is 
security context and attributes assigned to a process BUT not 
necessarily in SELinux:

SELinux internally won't care about domain, it uses type for that matter.

Would you mind to correct me, if I'm wrong?

above document asserts:

QUOTE:
" ... Although the example TE configuration often uses the term domain 
when referring to the type of a process,

the SELinux TE model does not  internally distinguish domains from types."

UNQOUTE


Best regards,


Patrick K.