Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Crispin Cowan <crispin@crispincowan.com>
To: Kyle Moffett <mrmacman_g4@mac.com>
Cc: Andrew Morgan <morgan@kernel.org>,
	casey@schaufler-ca.com, Stephen Smalley <sds@tycho.nsa.gov>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	linux-kernel@vger.kernel.org, chrisw@sous-sol.org,
	darwish.07@gmail.com, jmorris@namei.org, method@manicmethod.com,
	paul.moore@hp.com,
	LSM List <linux-security-module@vger.kernel.org>
Subject: Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree
Date: Sat, 24 Nov 2007 19:36:43 -0800	[thread overview]
Message-ID: <4748EDCB.90403@crispincowan.com> (raw)
In-Reply-To: <823A64A2-C962-403C-A0EB-95EA79B2DB91@mac.com>

Kyle Moffett wrote:
> On Nov 24, 2007, at 06:39:34, Crispin Cowan wrote:
>> Andrew Morgan wrote:
>>> It feels to me as if a MAC "override capability" is, if true to its
>>> name, extra to the MAC model; any MAC model that needs an 'override'
>>> to function seems under-specified... SELinux clearly feels no need
>>> for one,
>> That's not quite right. More specifically, it already has one in the
>> form of unconfined_t. AppArmor has a similar escape hatch in the "Ux"
>> permission. Its not that they don't need one, it is that they already
>> have one. They get to have one because they allow you to actually
>> write a policy that is more nuanced than "process label must dominate
>> object label".
> Actually, a fully-secured strict-mode SELinux system will have no
> unconfined_t processes; none of my test systems have any.  Generally
> "unconfined_t" is used for situations similar to what AppArmor was
> designed for, where the only "interesting" security is that of the
> daemon (which is properly labelled) and one or more of the users are
> unconfined.
Interesting. In a Targeted Policy, you do your policy administration
from unconfined_t. But how do you administer a Strict Policy machine? I
can think of 2 ways:

    * reboot to single user and hack away
          o hurts usability because you need physical presence to change
            policy, but is highly secure
    * there is some type that is tighter than unconfined_t but none the
      less has sufficient privilege to change policy
          o to me, this would be semantically equivalent to
            unconfined_t, because any rogue code or user with this type
            could then fabricate unconfined_t and do what they want


> Even then "unconfined_t" is not an implicit part of the policy, it is
> explicitly given the ability to take any action on any object by rules
> in the policy, and it typically still falls under a few MLS labeling
> restrictions even in the targeted policy.
Which is more or less the distinction I was trying to draw between
hierarchical systems (MLS) and policy systems (SELinux TE, AppArmor,
etc.) that policy systems let you write yourself an escape hatch in
policy, and MLS systems don't. Or at least they need to kludge something :)

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin
CEO, Mercenary Linux		   http://mercenarylinux.com/
	       Itanium. Vista. GPLv3. Complexity at work

next prev parent reply	other threads:[~2007-11-25  3:36 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <200711202206.lAKM6BlW025868@imap1.linux-foundation.org>
2007-11-21 15:48 ` + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree Serge E. Hallyn
2007-11-21 15:51   ` Stephen Smalley
2007-11-21 17:04     ` Serge E. Hallyn
2007-11-21 17:21     ` Casey Schaufler
2007-11-21 18:02       ` Stephen Smalley
2007-11-21 19:19         ` Casey Schaufler
2007-11-24  3:25           ` Andrew Morgan
2007-11-24  4:47             ` Casey Schaufler
2007-11-24  6:09               ` Andrew Morgan
2007-11-24 11:39                 ` Crispin Cowan
2007-11-24 19:16                   ` Casey Schaufler
2007-11-25  2:07                   ` Kyle Moffett
2007-11-25  3:36                     ` Crispin Cowan [this message]
2007-11-26 17:36                       ` Kyle Moffett
2007-11-26 19:55                         ` Joshua Brindle
2007-11-24 11:39               ` Crispin Cowan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4748EDCB.90403@crispincowan.com \
    --to=crispin@crispincowan.com \
    --cc=casey@schaufler-ca.com \
    --cc=chrisw@sous-sol.org \
    --cc=darwish.07@gmail.com \
    --cc=jmorris@namei.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=method@manicmethod.com \
    --cc=morgan@kernel.org \
    --cc=mrmacman_g4@mac.com \
    --cc=paul.moore@hp.com \
    --cc=sds@tycho.nsa.gov \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox