From: dE <de.techno@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: Initial SIDs.
Date: Sat, 19 Jul 2014 11:07:03 +0530 [thread overview]
Message-ID: <53CA03FF.9030507@gmail.com> (raw)
In-Reply-To: <1405507280.12577.6.camel@x220.localdomain>
On 07/16/14 16:11, Dominick Grift wrote:
> On Wed, 2014-07-16 at 11:45 +0530, dE wrote:
>> I don't understanding why this's required.
>>
>> As per my understanding, the SID values can be generated by the kernel
>> given the security context and is internal to the kernel and independent
>> of the policy, so I don't understand why do we define SID manually.
>>
> I suppose it is about creating associations.
>
> In policy we associate customizable identifiers to hard initial sids
>
> I suppose to be able to do that we need to "declare" the hard isids in
> the first place (just like we are required to declare customizable
> identifiers)
>
> There are 4 reasons for isids:
>
> system initialization (to label processes that were there before any
> policy was loaded, think kernel threads)
>
> failover: selinux needs to be able to safely failover. Example you
> insert a device without labels. SElinux needs to kick in and make sure
> the device is labeled for consistency
>
> Another example: you load policy that removed some identifiers that are
> currently in use by the system. SELinux needs to kick in and mark those
> invalid
>
> There probably more reasons (i cant recall them at this very moment):
> they are briefly mentioned in the book "SELinux by example" ...
>
> .. a must read
>
>> Second, I'm not sure why these initial processes require an SID in the
>> 1st place – my guess is cause the security context of the parent
>> processes (like init) are used to compute the security context of it's
>> children; so with a missing security context of the parent process, it's
>> impossible to compute the security context of it's children. So a valid
>> security context has to be predefined.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
I bought that book and read up on it. Thanks for the reference.
These are reverse mapping of SIDs to labels, so they can be associated
to any labels in case of situations like system initializations or
undefined security labels etc... otherwise these undefined or missing
labels cannot be resolved to an SID.
prev parent reply other threads:[~2014-07-19 5:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-16 6:15 Initial SIDs dE
2014-07-16 10:41 ` Dominick Grift
2014-07-19 5:37 ` dE [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53CA03FF.9030507@gmail.com \
--to=de.techno@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.