Re: MCS and default labels

[Stephen Smalley <sds@tycho.nsa.gov>]

On Mon, 2009-09-14 at 10:19 +0200, Michal Svoboda wrote:
> Stephen Smalley wrote:
> > The kernel MLS logic lives in security/selinux/ss/mls.c.  Determining
> > the MLS level of a new subject or object is handled by
> > mls_compute_sid().  Any change would have to support either model
> > (inherit from source context or inherit from target context), so
> > logically it would be policy-driven.  Which likely means an extension to
> > the policy language and compiler.  Not an entirely trivial undertaking.
> 
> I have looked at the source code and it seems that in the said function
> mls_compute_sid(), under the "case AVTAB_CHANGE:" and in the "else" path
> (tclass != SECCLASS_PROCESS) the statement
> 
> mls_context_cpy_low(newcontext, scontext)
> 
> would need to be changed to
> 
> mls_context_cpy(newcontext, tcontext).
> 
> To support the original behavior, I would add a 1/0 readable/writable
> file to selinuxfs, say "mls_defcontext_inherit" by mimicking the
> behavior of the "enforce" file and its associated r/w functions. It
> seems to me that this would suffice enough and it would avoid the need
> to modify the policy language.
> 
> Would this change be acceptable?

I don't think so - the problem with selinuxfs tunables is that they
can't be changed atomically with a policy change, and this is a property
that should be tied to a particular policy.  For the same reason,
properties like handle_unknown and permissive domains are defined in the
policy itself rather than being selinuxfs tunables.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.