From: Chris PeBenito <pebenito@ieee.org>
To: Stephen Smalley <sds@tycho.nsa.gov>, Joe Nall <joe@nall.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: MLS dominance check behavior on el7
Date: Sun, 30 Sep 2018 10:43:41 -0400 [thread overview]
Message-ID: <62b6ac25-6528-79d4-a38d-7f75fe870a47@ieee.org> (raw)
In-Reply-To: <052415f8-589e-909f-ac00-8e67c5c23e0d@tycho.nsa.gov>
On 09/11/2018 04:20 PM, Stephen Smalley wrote:
> On 09/11/2018 03:04 PM, Joe Nall wrote:
>>
>>
>>> On Sep 11, 2018, at 1:29 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>
>>> On 09/11/2018 10:41 AM, Stephen Smalley wrote:
>>>> On 09/10/2018 06:30 PM, Ted Toth wrote:
>>>>> mcstrans mcscolor.c also uses the same logic I'd been using to
>>>>> check dominance so this too will no longer function as expected on
>>>>> el7. Do you any suggestions for doing a 'generic' (one not tied to
>>>>> a specific resource class) dominance check in lieu of context
>>>>> contains?
>>>> You should probably define your own permission with its own
>>>> constraint to avoid depending on the base policy's particular
>>>> constraint definitions. Certainly for your own code. For mcstrans,
>>>> mcscolor probably ought to be switched to using at least a separate
>>>> permission in the context class if not its own class to avoid
>>>> overloading the meaning with pam_selinux's usage (or vice versa, but
>>>> likely harder to change pam_selinux at this point).
>>>> It is possible to define an entirely new class, its permissions, and
>>>> its mls constraints via a CIL module IIUC, without needing to change
>>>> the base policy.
>>>> I don't think you can add a permission to an existing class via a
>>>> CIL module currently, unfortunately, so you can't just extend the
>>>> context class without modifying the base policy. So it may be
>>>> easier to define an entirely new class.
>>>> The class and permission ought to be specific to the usage. For
>>>> example, mcstrans could have its own class (mcstrans) with its own
>>>> permissions (e.g. color_match or color_use or ...) that abstract
>>>> away the logical check being performed. Dominance checks performed
>>>> for different reasons ought to use different permissions so that one
>>>> can distinguish what TE pairs are allowed them.
>>>> Your code could likewise define and use its own class and permission.
>>>> Does that make sense?
>>>
>>> BTW, I noticed there is another permission ("translate") defined in
>>> the context class and its constraint is ((h1 dom h2) or (t1 ==
>>> mlstranslate)). I would have guessed that it was intended as a
>>> front-end service check over what processes could request context
>>> translations from mcstrans or what contexts they could translate, but
>>> I don't see it being used in mcstrans anywhere. Is this a legacy
>>> thing from early setransd/mcstransd days? There is a TODO comment in
>>> mcstrans process_request() that suggests there was an intent to
>>> perform a dominance check between the requester context and the
>>> specified context, but that's not implemented. Appears to be allowed
>>> in current policy for all domains to the setrans_t domain itself.
>>
>> I think 'translate' predates my mcstransd work and dates from the
>> original TCS implementation. There is an argument to implement that
>> constraint, but we've been operating without it for so long it does
>> not seem worthwhile.
>
> Well, I guess we ought to either implement it or delete the permission
> definition from refpolicy.
I'm fine removing it. It's just the translate permission that is
unused, not the whole class, correct?
--
Chris PeBenito
next prev parent reply other threads:[~2018-09-30 14:43 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-10 17:13 MLS dominance check behavior on el7 Ted Toth
2018-09-10 17:47 ` Stephen Smalley
2018-09-10 18:19 ` Ted Toth
2018-09-10 22:30 ` Ted Toth
2018-09-11 14:41 ` Stephen Smalley
2018-09-11 16:53 ` Joshua Brindle
2018-09-11 17:33 ` Stephen Smalley
2018-09-11 17:39 ` Joshua Brindle
2018-09-11 18:21 ` Stephen Smalley
2018-09-11 18:29 ` Stephen Smalley
2018-09-11 18:49 ` Ted Toth
2018-09-11 18:55 ` Yuli Khodorkovskiy
2018-09-11 19:29 ` Stephen Smalley
2018-09-11 19:43 ` Stephen Smalley
2018-09-11 20:59 ` Ted Toth
2018-09-12 13:05 ` Stephen Smalley
2018-09-12 13:26 ` Ted Toth
2018-09-12 13:57 ` Stephen Smalley
2018-09-12 14:36 ` Dominick Grift
2018-09-12 14:57 ` Ted Toth
2018-09-14 21:18 ` Ted Toth
2018-09-15 6:08 ` Dominick Grift
2018-09-11 19:04 ` Joe Nall
2018-09-11 20:20 ` Stephen Smalley
2018-09-30 14:43 ` Chris PeBenito [this message]
[not found] ` <6e21676a-249d-8b05-dd9f-09a3671f46f7@tycho.nsa.gov>
2018-10-05 20:05 ` Chris PeBenito
2018-10-09 2:37 ` Chad Hanson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62b6ac25-6528-79d4-a38d-7f75fe870a47@ieee.org \
--to=pebenito@ieee.org \
--cc=joe@nall.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).