selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Joe Nall <joe@nall.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ted Toth <txtoth@gmail.com>, SELinux <selinux@tycho.nsa.gov>
Subject: Re: MLS dominance check behavior on el7
Date: Tue, 11 Sep 2018 14:04:51 -0500	[thread overview]
Message-ID: <2E8FB4B5-598A-4741-9AC6-70C9995A48F9@nall.com> (raw)
In-Reply-To: <85bb9bec-2bda-34fa-1f7d-256470c4f38c@tycho.nsa.gov>



> On Sep 11, 2018, at 1:29 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> 
> On 09/11/2018 10:41 AM, Stephen Smalley wrote:
>> On 09/10/2018 06:30 PM, Ted Toth wrote:
>>> mcstrans mcscolor.c also uses the same logic I'd been using to check dominance so this too will no longer function as expected on el7. Do you any suggestions for doing a 'generic' (one not tied to a specific resource class) dominance check in lieu of context contains?
>> You should probably define your own permission with its own constraint to avoid depending on the base policy's particular constraint definitions.  Certainly for your own code.  For mcstrans, mcscolor probably ought to be switched to using at least a separate permission in the context class if not its own class to avoid overloading the meaning with pam_selinux's usage (or vice versa, but likely harder to change pam_selinux at this point).
>> It is possible to define an entirely new class, its permissions, and its mls constraints via a CIL module IIUC, without needing to change the base policy.
>> I don't think you can add a permission to an existing class via a CIL module currently, unfortunately, so you can't just extend the context class without modifying the base policy.  So it may be easier to define an entirely new class.
>> The class and permission ought to be specific to the usage.  For example, mcstrans could have its own class (mcstrans) with its own permissions (e.g. color_match or color_use or ...) that abstract away the logical check being performed.  Dominance checks performed for different reasons ought to use different permissions so that one can distinguish what TE pairs are allowed them.
>> Your code could likewise define and use its own class and permission.
>> Does that make sense?
> 
> BTW, I noticed there is another permission ("translate") defined in the context class and its constraint is ((h1 dom h2) or (t1 == mlstranslate)).  I would have guessed that it was intended as a front-end service check over what processes could request context translations from mcstrans or what contexts they could translate, but I don't see it being used in mcstrans anywhere.  Is this a legacy thing from early setransd/mcstransd days?  There is a TODO comment in mcstrans process_request() that suggests there was an intent to perform a dominance check between the requester context and the specified context, but that's not implemented.  Appears to be allowed in current policy for all domains to the setrans_t domain itself.

I think 'translate' predates my mcstransd work and dates from the original TCS implementation. There is an argument to implement that constraint, but we've been operating without it for so long it does not seem worthwhile.

joe

  parent reply	other threads:[~2018-09-11 19:04 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-10 17:13 MLS dominance check behavior on el7 Ted Toth
2018-09-10 17:47 ` Stephen Smalley
2018-09-10 18:19   ` Ted Toth
2018-09-10 22:30     ` Ted Toth
2018-09-11 14:41       ` Stephen Smalley
2018-09-11 16:53         ` Joshua Brindle
2018-09-11 17:33           ` Stephen Smalley
2018-09-11 17:39             ` Joshua Brindle
2018-09-11 18:21               ` Stephen Smalley
2018-09-11 18:29         ` Stephen Smalley
2018-09-11 18:49           ` Ted Toth
2018-09-11 18:55             ` Yuli Khodorkovskiy
2018-09-11 19:29             ` Stephen Smalley
2018-09-11 19:43               ` Stephen Smalley
2018-09-11 20:59               ` Ted Toth
2018-09-12 13:05                 ` Stephen Smalley
2018-09-12 13:26                   ` Ted Toth
2018-09-12 13:57                     ` Stephen Smalley
2018-09-12 14:36                       ` Dominick Grift
2018-09-12 14:57                         ` Ted Toth
2018-09-14 21:18                           ` Ted Toth
2018-09-15  6:08                             ` Dominick Grift
2018-09-11 19:04           ` Joe Nall [this message]
2018-09-11 20:20             ` Stephen Smalley
2018-09-30 14:43               ` Chris PeBenito
     [not found]                 ` <6e21676a-249d-8b05-dd9f-09a3671f46f7@tycho.nsa.gov>
2018-10-05 20:05                   ` Chris PeBenito
2018-10-09  2:37                     ` Chad Hanson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2E8FB4B5-598A-4741-9AC6-70C9995A48F9@nall.com \
    --to=joe@nall.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    --cc=txtoth@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).