* target context of security:setbool permission check @ 2020-03-02 15:44 Christian Göttsche 2020-03-02 16:37 ` Dominick Grift 2020-03-02 18:56 ` Stephen Smalley 0 siblings, 2 replies; 3+ messages in thread From: Christian Göttsche @ 2020-03-02 15:44 UTC (permalink / raw) To: selinux Hi, currently the target context of the security:setbool permission check is hardcoded to the security-initial-sid.[1][2] Nowadays it is possible to label the boolean pseudo files via genfscon. Is this by design or did nobody yet make it possible to base the check on the actual file-context? Or is the current access limitation to booleans via the file:write permission to the boolean pseudo-files sufficient? [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234 [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: target context of security:setbool permission check 2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche @ 2020-03-02 16:37 ` Dominick Grift 2020-03-02 18:56 ` Stephen Smalley 1 sibling, 0 replies; 3+ messages in thread From: Dominick Grift @ 2020-03-02 16:37 UTC (permalink / raw) To: Christian Göttsche; +Cc: selinux Christian Göttsche <cgzones@googlemail.com> writes: > Hi, > > currently the target context of the security:setbool permission check > is hardcoded to the security-initial-sid.[1][2] > Nowadays it is possible to label the boolean pseudo files via genfscon. > > Is this by design or did nobody yet make it possible to base the check > on the actual file-context? > > Or is the current access limitation to booleans via the file:write > permission to the boolean pseudo-files sufficient? From my experience blocking write access to the bool file is sufficient > > > [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234 > [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290 -- Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: target context of security:setbool permission check 2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche 2020-03-02 16:37 ` Dominick Grift @ 2020-03-02 18:56 ` Stephen Smalley 1 sibling, 0 replies; 3+ messages in thread From: Stephen Smalley @ 2020-03-02 18:56 UTC (permalink / raw) To: Christian Göttsche; +Cc: SElinux list On Mon, Mar 2, 2020 at 10:44 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Hi, > > currently the target context of the security:setbool permission check > is hardcoded to the security-initial-sid.[1][2] > Nowadays it is possible to label the boolean pseudo files via genfscon. > > Is this by design or did nobody yet make it possible to base the check > on the actual file-context? > > Or is the current access limitation to booleans via the file:write > permission to the boolean pseudo-files sufficient? I would think the file write check suffices if you want that level of granularity, while keeping the setbool check as a coarse-grained control over who can set booleans at all. setbool is also used to control the ability to commit pending bools. Most of the security permissions predate selinuxfs itself and harken back to the original system call interface although that wouldn't be the case for booleans. > > > [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234 > [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290 ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-02 18:54 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche 2020-03-02 16:37 ` Dominick Grift 2020-03-02 18:56 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.