From: "Toshiharu Harada" <haradats@gmail.com>
To: "Kyle Moffett" <mrmacman_g4@mac.com>
Cc: "James Morris" <jmorris@namei.org>,
casey@schaufler-ca.com, "Andreas Gruenbacher" <agruen@suse.de>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook
Date: Mon, 28 May 2007 19:41:11 +0900 [thread overview]
Message-ID: <9d732d950705280341x78575d85kaf95b0e2884723f3@mail.gmail.com> (raw)
In-Reply-To: <4F828E03-DA6B-484E-A8F2-885D1BC6F23E@mac.com>
[-- Attachment #1: Type: text/plain, Size: 4918 bytes --]
2007/5/27, Kyle Moffett <mrmacman_g4@mac.com>:
> On May 27, 2007, at 03:25:27, Toshiharu Harada wrote:
> > 2007/5/27, Kyle Moffett <mrmacman_g4@mac.com>:
> How is that argument not trivially circular? "Foo has an assumption
> that foo-property is always properly defined and maintained." That
> could be said about *anything*:
What I wanted to mention was the difficulties or efforts to make
assumptions real. I never meant a circular argument, but if you
felt so I apologize sincerely.
> >> If you can't properly manage your labels, then how do you expect
> >> any security at all?
> >
> > Please read my message again. I didn't say, "This can never be
> > achieved". I said, "This can not be easily achieved".
>
> So you said "(data labels) can not be easily achieved". My question
> for you is: How do you manage secure UNIX systems without standard
> UNIX permission bits? Also: If you have problems with data labels
> then what makes pathname based labels "easier"? If there is
> something that could be done to improve SELinux and make it more
> readily configurable then it should probably be done.
Permission bits can be checked easily with "ls" command,
but assuring the correctness of labels are not that easy.
I'll try to explain.
The correctness of the permission bit for a given file can be judged
solely by the result of "ls" command. The correctness of the label,
on the other hand, can't be judged without understanding of whole policy
including domain transitions. (see the attached figure)
I can imagine that once one get the complete SELinux policy,
then it is able to modify and maintain it.
I don't say making a complete SELinux policy is impossible,
and actually you said you did it. But to be frank, I don't think
you are the average level user at all. ;-)
> > I'm very interested in how you can know that you have the correct
> > object labeling (this is my point). Could you tell?
>
> I know that I have the correct object labeling because:
Do you mind if I add this?
0) I understood the default policy and perfectly understand the
every behavior of my system.
this is where the difficulties exist.
> 1) I rewrote/modified the default policy to be extremely strict on
> the system where I wanted the extra security and hassle.
> 2) I ensured that the type transitions were in place for almost
> everything that needed to be done to administer the system.
> 3) I wrote a file-contexts file and relabeled *once*
> 4) I loaded the customized policy plus policy for restorecon and
> relabeled for the last time
> 5) I reloaded the customized policy without restorecon privileges
> and without the ability to reload the policy again.
> 6) I never reboot the system without enforcing mode.
> 7) If there are unexpected errors or files have incorrect labels,
> I have to get the security auditor to log in on the affected system
> and relabel the problematic files manually (rare occurrence which
> requires excessive amounts of paperwork).
Thank you for the procedures. It's quite helpful.
> > I don't deny DAC at all. If we deny DAC, we can't live with Linux
> > it's the base. MAC can be used to cover the shortages of DAC and
> > Linux's simple user model, that's it.
> >
> > From security point of view, simplicity is always the virtue and
> > the way to go. Inode combined label is guaranteed to be a single
> > at any point time. This is the most noticeable advantage of label-
> > based security.
>
> I would argue that pathname-based security breaks the "simplicity is
> the best virtue (of a security system)" paradigm, because it
> attributes multiple potentially-conflicting labels to the same piece
Every pathname-based security must provide the mechanism
to prevent a conflicting/malicious access, otherwise it's junk.
I have a question for you. With current implementation of
SELinux, only one label can be assigned. But there are cases
that one object can be used in different context, so I think
it might help if SELinux would allow objects to have
multiple labels. (I'm not talking about conflicts here)
What do you think?
> > But writing policy with labels are somewhat indirect way (I mean,
> > we need "ls -Z" or "ps -Z"). Indirect way can cause flaw so we
> > need a lot of work that is what I wanted to tell.
>
> I don't really use "ls -Z" or "ps -Z" when writing SELinux policy; I
> do that only when I actually think I mislabeled files.
I believe what you wrote, but it may not be as easy for average Linux users.
> Typically the SELinux-policy-development cycle is:
> 1) Modify and reload the policy
> 2) Relabel the affected files (either by hand or with some
> automated tool like restorecon)
> 3) Rerun the problem program or daemon
> 4) Examine the errors in the audit logs. If there are no errors
> and it works then you're finished.
> 5) Go back to step 1 and fix your policy
Cheers,
Toshiharu Harada
[-- Attachment #2: fig.png --]
[-- Type: image/png, Size: 15431 bytes --]
next prev parent reply other threads:[~2007-05-28 10:41 UTC|newest]
Thread overview: 159+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-12 9:08 [AppArmor 00/41] AppArmor security module overview jjohansen
2007-04-12 9:08 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook jjohansen
2007-04-12 10:06 ` Christoph Hellwig
2007-04-16 16:11 ` [nameidata 1/2] Don't pass NULL nameidata to vfs_create Andreas Gruenbacher
2007-04-16 16:21 ` Christoph Hellwig
2007-04-16 16:40 ` Andreas Gruenbacher
2007-04-16 16:45 ` Christoph Hellwig
2007-04-17 12:09 ` Andreas Gruenbacher
2007-05-11 15:59 ` Andreas Gruenbacher
2007-04-16 16:25 ` Matthew Wilcox
2007-04-16 16:29 ` [nameidata 2/2] Pass no useless nameidata to the create, lookup, and permission IOPs Andreas Gruenbacher
2007-04-16 16:39 ` Christoph Hellwig
2007-04-16 16:42 ` Randy Dunlap
2007-04-16 16:44 ` Andreas Gruenbacher
2007-04-16 16:50 ` Randy Dunlap
2007-04-12 10:12 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook Al Viro
2007-05-23 19:06 ` Andreas Gruenbacher
2007-05-24 1:28 ` James Morris
2007-05-24 9:16 ` Andreas Gruenbacher
2007-05-24 12:51 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSMhook Tetsuo Handa
[not found] ` <200705241112.41101.agruen@suse.de>
2007-05-24 13:19 ` [AppArmor 01/41] Pass struct vfsmount to the inode_create LSM hook James Morris
2007-05-24 18:10 ` Andreas Gruenbacher
2007-05-24 18:40 ` Al Viro
2007-05-24 21:56 ` Andreas Gruenbacher
2007-05-24 18:58 ` Casey Schaufler
2007-05-25 4:14 ` Andreas Gruenbacher
2007-05-25 5:17 ` Jeremy Maitin-Shepard
2007-05-25 17:43 ` Casey Schaufler
2007-05-25 18:10 ` Jeremy Maitin-Shepard
2007-05-25 18:13 ` Jeremy Maitin-Shepard
2007-05-25 19:06 ` Casey Schaufler
2007-05-26 1:40 ` Tetsuo Handa
2007-05-26 12:10 ` Andreas Gruenbacher
2007-05-26 22:58 ` Casey Schaufler
2007-05-27 1:33 ` Valdis.Kletnieks
2007-05-25 20:00 ` Andreas Gruenbacher
2007-05-25 20:27 ` Casey Schaufler
2007-05-26 5:27 ` Crispin Cowan
2007-05-26 13:34 ` Alan Cox
2007-05-26 14:05 ` Andreas Gruenbacher
2007-05-26 18:41 ` James Morris
2007-05-26 5:20 ` Kyle Moffett
2007-05-26 11:46 ` Andreas Gruenbacher
2007-05-26 12:09 ` Tetsuo Handa
2007-05-26 13:41 ` Andreas Gruenbacher
2007-05-26 14:44 ` Tetsuo Handa
2007-05-26 16:52 ` Andreas Gruenbacher
2007-05-26 18:16 ` Kyle Moffett
2007-05-26 18:45 ` [AppArmor 01/41] " James Morris
2007-05-26 23:08 ` Toshiharu Harada
2007-05-27 2:10 ` Kyle Moffett
2007-05-27 2:37 ` Valdis.Kletnieks
2007-05-27 5:32 ` Kyle Moffett
2007-05-28 20:38 ` Pavel Machek
2007-05-29 2:00 ` Kyle Moffett
2007-05-27 7:25 ` Toshiharu Harada
2007-05-27 13:35 ` Kyle Moffett
2007-05-28 10:41 ` Toshiharu Harada [this message]
2007-05-29 1:54 ` Kyle Moffett
2007-05-29 21:17 ` Valdis.Kletnieks
2007-05-30 5:52 ` Crispin Cowan
2007-05-24 14:40 ` Pavel Machek
2007-05-30 10:06 ` Alan Cox
2007-05-30 2:38 ` Toshiharu Harada
2007-05-27 8:34 ` Cliffe
2007-05-27 13:07 ` Kyle Moffett
2007-05-27 16:12 ` Casey Schaufler
2007-05-25 8:01 ` Toshiharu Harada
2007-04-12 9:08 ` [AppArmor 02/41] Remove redundant check from proc_setattr() jjohansen
2007-04-12 9:08 ` [AppArmor 03/41] Remove redundant check from proc_sys_setattr() jjohansen
2007-04-12 10:10 ` Alan Cox
2007-04-12 9:08 ` [AppArmor 04/41] Pass struct file down to remove_suid and children jjohansen
2007-04-12 9:08 ` [AppArmor 05/41] Add a vfsmount parameter to notify_change() jjohansen
2007-04-12 9:08 ` [AppArmor 06/41] Pass struct vfsmount to the inode_setattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 07/41] Add struct vfsmount parameter to vfs_mkdir() jjohansen
2007-04-12 9:08 ` [AppArmor 08/41] Pass struct vfsmount to the inode_mkdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 09/41] Add a struct vfsmount parameter to vfs_mknod() jjohansen
2007-04-12 9:08 ` [AppArmor 10/41] Pass struct vfsmount to the inode_mknod LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 11/41] Add a struct vfsmount parameter to vfs_symlink() jjohansen
2007-04-12 9:08 ` [AppArmor 12/41] Pass struct vfsmount to the inode_symlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 13/41] Pass struct vfsmount to the inode_readlink " jjohansen
2007-04-12 9:08 ` [AppArmor 14/41] Add struct vfsmount parameters to vfs_link() jjohansen
2007-04-12 9:08 ` [AppArmor 15/41] Pass the struct vfsmounts to the inode_link LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 16/41] Add a struct vfsmount parameter to vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 17/41] Pass struct vfsmount to the inode_rmdir LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 18/41] call lsm hook before unhashing dentry in vfs_rmdir() jjohansen
2007-04-12 9:08 ` [AppArmor 19/41] Add a struct vfsmount parameter to vfs_unlink() jjohansen
2007-04-12 9:08 ` [AppArmor 20/41] Pass struct vfsmount to the inode_unlink LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 21/41] Add struct vfsmount parameters to vfs_rename() jjohansen
2007-04-12 9:08 ` [AppArmor 22/41] Pass struct vfsmount to the inode_rename LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 23/41] Add a struct vfsmount parameter to vfs_setxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 24/41] Pass struct vfsmount to the inode_setxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 25/41] Add a struct vfsmount parameter to vfs_getxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 26/41] Pass struct vfsmount to the inode_getxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 27/41] Add a struct vfsmount parameter to vfs_listxattr() jjohansen
2007-04-12 9:08 ` [AppArmor 28/41] Pass struct vfsmount to the inode_listxattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 29/41] Add a struct vfsmount parameter to vfs_removexattr() jjohansen
2007-04-12 9:08 ` [AppArmor 30/41] Pass struct vfsmount to the inode_removexattr LSM hook jjohansen
2007-04-12 9:08 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts jjohansen
2007-04-12 9:58 ` Alan Cox
2007-04-15 17:40 ` Andreas Gruenbacher
2007-04-16 21:57 ` Alan Cox
2007-04-17 1:35 ` Andreas Gruenbacher
2007-04-17 17:21 ` Alan Cox
2007-04-19 23:23 ` [d_path 0/7] Fixes to d_path: Respin Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 1/7] Fix __d_path() for lazy unmounts and make it unambiguous Andreas Gruenbacher
2007-04-20 9:32 ` Alan Cox
2007-04-19 23:23 ` [d_path 2/7] Make d_path() consistent across mount operations Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 3/7] Add d_namespace_path() to compute namespace relative pathnames Andreas Gruenbacher
2007-04-21 12:57 ` Tetsuo Handa
2007-04-21 16:16 ` Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 4/7] Make getcwd() only return valid paths Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 5/7] Remove duplicate proc code Andreas Gruenbacher
2007-04-19 23:23 ` [d_path 6/7] Filter out disconnected paths from /proc/mounts Andreas Gruenbacher
2007-04-20 9:34 ` Alan Cox
2007-04-19 23:23 ` [d_path 7/7] Distinguish between connected and disconnected paths in d_path() Andreas Gruenbacher
2007-04-20 9:30 ` [d_path 0/7] Fixes to d_path: Respin Alan Cox
2007-04-20 11:45 ` Andreas Gruenbacher
2007-04-20 15:15 ` Ulrich Drepper
2007-04-20 15:21 ` Andreas Gruenbacher
2007-04-20 15:24 ` Ulrich Drepper
2007-04-20 16:40 ` Andreas Gruenbacher
2007-04-20 19:17 ` Ulrich Drepper
2007-04-20 20:44 ` Miklos Szeredi
2007-04-21 19:04 ` Andreas Gruenbacher
2007-04-21 19:46 ` Ulrich Drepper
2007-04-22 9:10 ` Christoph Hellwig
2007-04-22 15:48 ` Andreas Gruenbacher
2007-04-17 6:30 ` [AppArmor 31/41] Fix __d_path() for lazy unmounts and make it unambiguous; exclude unreachable mount points from /proc/mounts Rob Meijer
2007-04-12 9:08 ` [AppArmor 32/41] Make d_path() consistent across mount operations jjohansen
2007-04-12 9:08 ` [AppArmor 33/41] Add d_namespace_path() to obtain namespace relative pathnames jjohansen
2007-04-12 10:49 ` Al Viro
2007-04-12 9:08 ` [AppArmor 34/41] Enable LSM hooks to distinguish operations on file descriptors from operations on pathnames jjohansen
2007-04-12 9:08 ` [AppArmor 35/41] Pass struct file down the inode_*xattr security LSM hooks jjohansen
2007-04-12 9:08 ` [AppArmor 36/41] Export audit subsystem for use by modules jjohansen
2007-04-12 9:08 ` [AppArmor 37/41] AppArmor: Main Part jjohansen
2007-04-12 10:37 ` Alan Cox
2007-04-13 8:17 ` Andreas Gruenbacher
2007-04-13 8:48 ` Andreas Gruenbacher
2007-04-13 8:52 ` Nick Piggin
2007-04-12 9:08 ` [AppArmor 38/41] AppArmor: Module and LSM hooks jjohansen
2007-04-12 10:21 ` Alan Cox
2007-04-16 21:37 ` John Johansen
2007-04-12 9:08 ` [AppArmor 39/41] AppArmor: Profile loading and manipulation, pathname matching jjohansen
2007-04-12 10:28 ` Alan Cox
2007-04-12 13:46 ` Andi Kleen
2007-04-15 14:21 ` Andreas Gruenbacher
2007-04-16 6:27 ` Andi Kleen
2007-04-16 20:56 ` John Johansen
2007-04-16 7:39 ` Pavel Machek
2007-04-16 22:00 ` Alan Cox
2007-04-16 22:11 ` John Johansen
2007-04-12 9:08 ` [AppArmor 40/41] AppArmor: all the rest jjohansen
2007-04-12 10:32 ` Al Viro
2007-04-12 11:32 ` Al Viro
2007-04-12 9:08 ` [AppArmor 41/41] Add AppArmor LSM to security/Makefile jjohansen
2007-04-12 10:33 ` [AppArmor 00/41] AppArmor security module overview Shaya Potter
2007-04-12 13:50 ` Pavel Machek
2007-04-13 8:04 ` Rob Meijer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9d732d950705280341x78575d85kaf95b0e2884723f3@mail.gmail.com \
--to=haradats@gmail.com \
--cc=agruen@suse.de \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).