All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: Chad Sellers <csellers@tresys.com>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	selinux@tycho.nsa.gov
Subject: RE: [RFC] Ability to allow undefined permissions and classes -v2
Date: Wed, 14 Feb 2007 14:40:28 -0500	[thread overview]
Message-ID: <1171482028.18488.12.camel@localhost.localdomain> (raw)
In-Reply-To: <6FE441CD9F0C0C479F2D88F959B015888BA220@exchange.columbia.tresys.com>

On Wed, 2007-02-14 at 14:22 -0500, Joshua Brindle wrote:
> > From: Eric Paris [mailto:eparis@redhat.com] 
> > All of the policy for the whole system:
> > - My ^ 0xffffffff method will work just fine since the policy 
> > knows what is defined by policy and we can simply allow 
> > everything else.
> > - This would be the only reasonable way the kernel could 
> > answer through /selinux for userapace objects.  If the kernel 
> > doesn't know about the userspace objects or permissions how 
> > can it answer yes or no with any meaning?
> > 
> 
> It answers no if it doesn't know about it because selinux is deny by
> default, no means it isn't allowed.

The whole point of this exercise is to make it possible for the policy
author to make that rule a little less rigid.  But your point is taken
and I think we can make what you want work.

> > Only the kernel policy is loaded into the kernel:
> > - Either method works fine although the more directed method 
> > might help to catch accidental bugs in the kernel which would 
> > be missed by the shotgun method.
> > - Obviously userspace can't ask the kernel to make decisions 
> > since it doesn't know, so it seems I can be directed or just 
> > allow everything.
> > 
> 
> No, if userspace does manage to ask the kernel about something (on
> accident or otherwise) it must be denied by default, SELinux is a deny
> by default mechanism. The routing mechanism is in userland (in
> libselinux) so the kernel doesn't know to point the requester somewhere
> else for an answer, it must simply answer denied.

Hmmmmm, right now I say that any tclass in an access decision which is
larger than the highest class defined in policy is 'unknown' and so I
allow it.  If I want to try to make this methodology even more kernel
specific I will leave my current permissions table and I guess I also
need to define a bit map and fill it during validate_classes based on
the appearance of the class both in the loaded policy and in the kernel
pre-definitions...

> > So really I just need some ejumakashun on the mythic 
> > userspace security server and just what information will be 
> > available to the kernel when it is passed the policy.  And 
> > just what decision context_struct_compute_av might be ask to decide.
> > 
> 
> We haven't totally decided but I think its safe to assume that the
> kernel won't have policy for userspace object classes at all and may not
> even know of the existance of said classes. The userspace requests would
> be routed to a userspace security server and the kernel would only
> answer questions for object classes it controls (or maybe not even
> those).

Super kernel specific work coming up.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

  reply	other threads:[~2007-02-14 19:40 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-12 19:43 [RFC] Ability to allow undefined permissions and classes -v2 Eric Paris
2007-02-13 12:27 ` Stephen Smalley
2007-02-13 17:28   ` Eric Paris
2007-02-13 17:40     ` Stephen Smalley
2007-02-13 17:41       ` Stephen Smalley
2007-02-13 17:49       ` Stephen Smalley
2007-02-13 17:57         ` Stephen Smalley
2007-02-13 19:36       ` Eric Paris
2007-02-14 18:10         ` Chad Sellers
2007-02-14 18:49           ` Eric Paris
2007-02-14 19:22             ` Joshua Brindle
2007-02-14 19:40               ` Eric Paris [this message]
2007-02-15 18:33               ` Stephen Smalley
2007-02-15 18:46                 ` Stephen Smalley
2007-02-15 19:05                   ` Eric Paris
2007-02-15 19:12                     ` Chad Sellers
2007-02-15 19:27                     ` Stephen Smalley
2007-02-15 19:42                       ` Stephen Smalley
2007-02-15 19:44                       ` Eric Paris
2007-02-15 19:49                         ` Stephen Smalley
2007-02-15 19:03                 ` Karl MacMillan
2007-02-15 19:19                   ` Stephen Smalley
2007-02-14 18:12         ` Joshua Brindle
2007-02-15 18:30           ` Eamon Walsh
2007-02-15 20:51             ` Stephen Smalley
2007-02-15 18:05         ` Stephen Smalley
2007-02-14 17:38     ` Chad Sellers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1171482028.18488.12.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=csellers@tresys.com \
    --cc=jbrindle@tresys.com \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.