selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: selinux@vger.kernel.org
Subject: Re: [SELinux-notebook PATCH v4] objects.md: some clarifications
Date: Thu, 16 Jul 2020 21:36:46 -0400	[thread overview]
Message-ID: <CAHC9VhS1d_=gotE6eau2hmxM+OjujY=u8sMQE10gNKOJ1z87dQ@mail.gmail.com> (raw)
In-Reply-To: <20200716121729.962241-1-dominick.grift@defensec.nl>

On Thu, Jul 16, 2020 at 8:18 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively.
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> v2: fixes patch description
> v3: adding patch description, s/policies/policy's/, split unlabeled and kernel descriptions for clarity
> v4: fixes another typo in description and emphasize system initialization a bit
>
> src/objects.md | 29 ++++++++++++++++++++++++++---
>  1 file changed, 26 insertions(+), 3 deletions(-)
>
> diff --git a/src/objects.md b/src/objects.md
> index 58664ef..c67787d 100644
> --- a/src/objects.md
> +++ b/src/objects.md
> @@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users
>  (until labeling goes wrong !!). As processes and objects are created and
>  destroyed, they either:
>
> -1.  Inherit their labels from the parent process or object.
> +1.  Inherit their labels from the parent process or object. The policy
> +    default type, role and range statements can be used to change the
> +    behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules)
> +    section.
>  2.  The policy type, role and range transition statements allow a
>      different label to be assigned as discussed in the
>      [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions)
>      section.
>  3.  SELinux-aware applications can enforce a new label (with the
> -    policies approval of course) using the **libselinux** API
> -    functions.
> +    policy's approval of course) using the **libselinux** API
> +    functions. The `process setfscreate` access vector can be used to
> +    allow subjects to create files with a new label programmatically
> +    using the ***setfscreatecon**(3)* function, overriding default
> +    rules and transition statements.
>  4.  An object manager (OM) can enforce a default label that can either
>      be built into the OM or obtained via a configuration file (such as
>      those used by
> @@ -269,6 +275,23 @@ and manage their transition:
>
>  `type_transition`, `role_transition` and `range_transition`
>
> +SELinux-aware applications can enforce a new label (with the policy's
> +approval of course) using the **libselinux** API functions. The
> +`process setexec`, `process setkeycreate` and `process setsockcreate`
> +access vectors can be used to allow subjects to label processes,
> +kernel keyrings, and sockets programmatically using the
> +***setexec**(3)*, ***setkeycreatecon**(3)* and
> +***setsockcreatecon**(3)* functions respectively, overriding
> +transition statements.
> +
> +The `kernel` **initial security identifier** is used to associate
> +specified labels with subjects that were left unlabeled due to
> +system initialization.

You are iterating faster than I can review the patches ;)  Please
don't misunderstand, I'm very happy you're contributing to the
notebook; I was hoping people would get involved and I'm glad to see
that is happening.

That said, while it is true that there are a few objects that are
initially assigned the "kernel" isid, those should gain proper labels
as they complete the initialization process, unless of course they are
actually owned by the kernel.  Which brings me to the next point, some
objects are legitimately owned by the kernel, the fact that they are
labeled with the "kernel" isid is intentional.  The same holds true
for the "kernel" isid as a subject label, in cases where you see the
"kernel" isid as a subject, it is actually the kernel acting on
something.

> +The `unlabeled` **initial security identifier** is used
> +to associate specified labels with subjects that had their label
> +invalidated due to policy changes at runtime.
> +
>  ### Object Reuse
>
>  As GNU / Linux runs it creates instances of objects and manages the
> --
> 2.27.0

-- 
paul moore
www.paul-moore.com

  reply	other threads:[~2020-07-17  1:37 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-10  7:09 [SELinux-notebook PATCH] onjects.md: some clarifications Dominick Grift
2020-07-10  7:14 ` [SELinux-notebook PATCH v2] objects.md: " Dominick Grift
2020-07-13 10:45   ` Richard Haines
2020-07-15  2:15   ` Paul Moore
2020-07-15  7:56     ` Dominick Grift
2020-07-16 11:18     ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-07-16 12:17       ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-07-17  1:36         ` Paul Moore [this message]
2020-07-17  6:41           ` Dominick Grift
2020-07-18  6:40           ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-07-19  9:44           ` [SELinux-notebook PATCH v6] " Dominick Grift
2020-07-21 17:44             ` Stephen Smalley
2020-07-21 19:51               ` [SELinux-notebook PATCH v7] " Dominick Grift
2020-07-21 20:02                 ` [SELinux-notebook PATCH v8] " Dominick Grift
2020-07-21 20:14                   ` Dominick Grift
2020-07-22 16:48                     ` Stephen Smalley
2020-07-22 16:57                       ` Dominick Grift
2020-07-22 17:32                         ` Stephen Smalley
2020-07-23  8:13                           ` Dominick Grift
2020-07-23 12:22                             ` Stephen Smalley
2020-07-23 13:04                               ` Dominick Grift
2020-07-23 13:24                                 ` Stephen Smalley
2020-07-23 13:37                                   ` Dominick Grift
2020-07-24  7:54                                   ` Dominick Grift
2020-07-24 12:23                                     ` Stephen Smalley
2020-07-24 12:29                                       ` Dominick Grift
2020-07-24 12:56                                         ` Stephen Smalley
2020-07-24 13:06                                           ` Dominick Grift
2020-07-24 13:26                                             ` Stephen Smalley
2020-07-24 13:30                                               ` Dominick Grift
2020-07-22 17:29                       ` Dominick Grift
2020-07-22 15:11                   ` Stephen Smalley
2020-07-23  7:50                     ` [SELinux-notebook PATCH v9] " Dominick Grift
2020-07-23 12:00                       ` Stephen Smalley
2020-07-27 13:43                         ` Stephen Smalley
2020-07-28  2:17                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHC9VhS1d_=gotE6eau2hmxM+OjujY=u8sMQE10gNKOJ1z87dQ@mail.gmail.com' \
    --to=paul@paul-moore.com \
    --cc=dominick.grift@defensec.nl \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).