Re: Presidency of user/role/type permissions.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>,
	dE <de.techno@gmail.com>,
	selinux@tycho.nsa.gov
Subject: Re: Presidency of user/role/type permissions.
Date: Tue, 13 May 2014 09:52:29 -0400	[thread overview]
Message-ID: <5372239D.3010007@redhat.com> (raw)
In-Reply-To: <53720F8C.8000205@tresys.com>


On 05/13/2014 08:26 AM, Christopher J. PeBenito wrote:
> On 05/13/2014 05:48 AM, dE wrote:
>> For a process's security context (user, role, type), there maybe a conflict in the policy. for e.g. for user user_u, access to the kernel's ring buffer may not be allowed, but for role role_r, it may be allowed. The same process will have user_u and role_r.
>>
>> So in case of conflicting permissions between user, role and type who's permission will the security server respect -- user's, role's or type's?
> First, obviously, the access has to be allowed via type enforcement allow rule.  After that, the constraints can reduce the access.  All of the constraints have to be passed for the end result to be allowed, regardless of what is involved in the constraint (user, role, etc.)  There is no precedence in the constraints.
>
Users and Roles do not control access, only types and MCS/MLS Levels.

Users are a way of assinging  Roles and MCS/MLS ranges to a login user.
Roles control which types are available, then types control access. 
As Chris says MCS/MLS constraints can further restrict a label.

next prev parent reply	other threads:[~2014-05-13 13:52 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-13  9:48 Presidency of user/role/type permissions dE
2014-05-13 12:26 ` Christopher J. PeBenito
2014-05-13 13:52   ` Daniel J Walsh [this message]
2014-05-14  6:03     ` dE
2014-05-14  6:10       ` dE
2014-05-14 12:40         ` Daniel J Walsh
2014-05-15 17:40           ` dE
2014-05-15 19:08             ` Daniel J Walsh
2014-05-19  3:09               ` dE

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5372239D.3010007@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=cpebenito@tresys.com \
    --cc=de.techno@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.