From: james.l.morris@oracle.com (James Morris)
To: linux-security-module@vger.kernel.org
Subject: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs
Date: Tue, 31 Oct 2017 14:11:48 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LFD.2.20.1710311357320.22021@localhost> (raw)
In-Reply-To: <1509390973.10174.9.camel@tycho.nsa.gov>
On Mon, 30 Oct 2017, Stephen Smalley wrote:
> Thanks, interesting approach. One drawback is that it doesn't presently
> support any form of inheritance of labels from the parent namespace, so
> files that are shared read-only from the init namespace will show up as
> unlabeled in the child namespace until they are assigned the namespaced
> attributes. This for example breaks running the selinux-testsuite with
> this patch applied (unless perhaps you run restorecon -R / after
> unsharing); otherwise just trying to invoke /usr/bin/runcon will fail
> since it is unlabeled in the child. It seems like we should provide
> some form of inheritance from the parent when there is no xattr for the
> namespace itself.
I was assuming that practical use of this would involve doing a filesystem
relabel under the newly loaded policy, on first instantiation at least.
We could try adding an selinuxfs node to specify default handling of
unlabeled files in a child namespace, and write to that after mounting
selinuxfs in that namespace.
e.g. echo inherit > /sys/fs/selinux/parent_ns_labels
or something.
>
> Another potential concern is that files created in a non-init namespace
> are left completely unlabeled in the init namespace (or in any parent).
> As long as access to unlabeled is tightly controlled, this might
> not be a problem, but I'm not sure that's guaranteed by the refpolicy
> or Fedora/RHEL policies. We might want to initialize an xattr at every
> level of the namespace hierarchy when a new file is created based on
> the process and parent directory labels and policy at that level.
> Otherwise, we lose all provenance information for the file outside of
> the namespace.
Ok.
> For example, suppose I want to leak information out of
> my category set; I unshare and create files with the information, and
> they appear in the init namespace with no categories.
Nice :)
--
James Morris
<james.l.morris@oracle.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: James Morris <james.l.morris@oracle.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org
Subject: Re: [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs
Date: Tue, 31 Oct 2017 14:11:48 +1100 (AEDT) [thread overview]
Message-ID: <alpine.LFD.2.20.1710311357320.22021@localhost> (raw)
In-Reply-To: <1509390973.10174.9.camel@tycho.nsa.gov>
On Mon, 30 Oct 2017, Stephen Smalley wrote:
> Thanks, interesting approach. One drawback is that it doesn't presently
> support any form of inheritance of labels from the parent namespace, so
> files that are shared read-only from the init namespace will show up as
> unlabeled in the child namespace until they are assigned the namespaced
> attributes. This for example breaks running the selinux-testsuite with
> this patch applied (unless perhaps you run restorecon -R / after
> unsharing); otherwise just trying to invoke /usr/bin/runcon will fail
> since it is unlabeled in the child. It seems like we should provide
> some form of inheritance from the parent when there is no xattr for the
> namespace itself.
I was assuming that practical use of this would involve doing a filesystem
relabel under the newly loaded policy, on first instantiation at least.
We could try adding an selinuxfs node to specify default handling of
unlabeled files in a child namespace, and write to that after mounting
selinuxfs in that namespace.
e.g. echo inherit > /sys/fs/selinux/parent_ns_labels
or something.
>
> Another potential concern is that files created in a non-init namespace
> are left completely unlabeled in the init namespace (or in any parent).
> As long as access to unlabeled is tightly controlled, this might
> not be a problem, but I'm not sure that's guaranteed by the refpolicy
> or Fedora/RHEL policies. We might want to initialize an xattr at every
> level of the namespace hierarchy when a new file is created based on
> the process and parent directory labels and policy at that level.
> Otherwise, we lose all provenance information for the file outside of
> the namespace.
Ok.
> For example, suppose I want to leak information out of
> my category set; I unshare and create files with the information, and
> they appear in the init namespace with no categories.
Nice :)
--
James Morris
<james.l.morris@oracle.com>
next prev parent reply other threads:[~2017-10-31 3:11 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-30 10:04 [RFC v0.1][PATCH] selinuxns: extend namespace support to security.selinux xattrs James Morris
2017-10-30 10:04 ` James Morris
2017-10-30 15:55 ` Casey Schaufler
2017-10-30 15:55 ` Casey Schaufler
2017-10-30 19:16 ` Stephen Smalley
2017-10-30 19:16 ` Stephen Smalley
2017-10-31 3:11 ` James Morris [this message]
2017-10-31 3:11 ` James Morris
2017-10-31 13:00 ` Stephen Smalley
2017-10-31 13:00 ` Stephen Smalley
2017-10-31 14:04 ` Stephen Smalley
2017-10-31 14:04 ` Stephen Smalley
2017-11-01 6:40 ` James Morris
2017-11-01 6:40 ` James Morris
2017-11-01 15:22 ` Stephen Smalley
2017-11-01 15:22 ` Stephen Smalley
2017-11-13 6:45 ` James Morris
2017-11-13 6:45 ` James Morris
2017-11-13 14:18 ` Stephen Smalley
2017-11-13 14:18 ` Stephen Smalley
2017-11-15 7:48 ` James Morris
2017-11-15 7:48 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.LFD.2.20.1710311357320.22021@localhost \
--to=james.l.morris@oracle.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.