access decision API

access decision API

[michel m]

[-- Attachment #1: Type: text/plain, Size: 567 bytes --]

Hi,
I have some data in userspace that I am keeping its security context.but as
I want to write this data on some file in OS, I need to consult with
security server if such data is allowed to be written on the file.
I would like to know if there is any API that let me do such a scenario,
that is input source and destination security context (both of them security
context,not a domain context) and returns access decision. I am familiar
with avc_has_perm(3), but seems to be not correct solution because it gets
domain context as the first argument.

Best regards.

[-- Attachment #2: Type: text/html, Size: 588 bytes --]

Re: access decision API

[Stephen Smalley]

On Wed, 2010-01-27 at 00:50 +0330, michel m wrote:
> Hi,
> I have some data in userspace that I am keeping its security
> context.but as I want to write this data on some file in OS, I need to
> consult with security server if such data is allowed to be written on
> the file.
> I would like to know if there is any API that let me do such a
> scenario, that is input source and destination security context (both
> of them security context,not a domain context) and returns access
> decision. I am familiar with avc_has_perm(3), but seems to be not
> correct solution because it gets domain context as the first argument.

avc_has_perm() can be used with any pair of security contexts.  Typical
usage is to pass the security context of a subject/process as the first
argument, but not always (e.g. there are some permission checks that
control inter-object relationships), and that is not a requirement.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: access decision API

[Stephen Smalley]

On Tue, 2010-01-26 at 16:34 -0500, Stephen Smalley wrote:
> On Wed, 2010-01-27 at 00:50 +0330, michel m wrote:
> > Hi,
> > I have some data in userspace that I am keeping its security
> > context.but as I want to write this data on some file in OS, I need to
> > consult with security server if such data is allowed to be written on
> > the file.
> > I would like to know if there is any API that let me do such a
> > scenario, that is input source and destination security context (both
> > of them security context,not a domain context) and returns access
> > decision. I am familiar with avc_has_perm(3), but seems to be not
> > correct solution because it gets domain context as the first argument.
> 
> avc_has_perm() can be used with any pair of security contexts.  Typical
> usage is to pass the security context of a subject/process as the first
> argument, but not always (e.g. there are some permission checks that
> control inter-object relationships), and that is not a requirement.

Example usage of the userspace AVC can be found in the XSELinux
extension, see:
http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinux_hooks.c
http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinuxint.h

The modern usage is to call:
1) selinux_set_callback() to set up the callback functions for
libselinux to use for logging/auditing or to notify the application of
changes to enforcing mode or policy.
2) selinux_set_mapping() to set up a dynamic mapping for the object
classes and permissions so that your application does not depend on
fixed values for them in the policy, and
3) avc_open() to initialize the AVC.

Then you can proceed to call avc_context_to_sid() and avc_has_perm() as
appropriate.

If you don't need caching, you can directly call security_compute_av();
however this pushes responsibility for checking the particular
permission bit, checking for and handling permissive mode/domains, and
generating an avc audit message to your application.   There has been a
prior request to introduce a simpler interface for programs that do not
require caching, see:
https://bugzilla.redhat.com/show_bug.cgi?id=518268

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: access decision API

[michel m]

[-- Attachment #1: Type: text/plain, Size: 2652 bytes --]

thanks for guidance, but here I am with a question. what should be used as
object class in avc_has_perm(3) when using it for inter-object. is there any
sample for inter-object access decision? can it be null?

on the other hand, access decision taken by avc_has_perm(), does it include
MLS too?

regards.

On Wed, Jan 27, 2010 at 1:26 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Tue, 2010-01-26 at 16:34 -0500, Stephen Smalley wrote:
> > On Wed, 2010-01-27 at 00:50 +0330, michel m wrote:
> > > Hi,
> > > I have some data in userspace that I am keeping its security
> > > context.but as I want to write this data on some file in OS, I need to
> > > consult with security server if such data is allowed to be written on
> > > the file.
> > > I would like to know if there is any API that let me do such a
> > > scenario, that is input source and destination security context (both
> > > of them security context,not a domain context) and returns access
> > > decision. I am familiar with avc_has_perm(3), but seems to be not
> > > correct solution because it gets domain context as the first argument.
> >
> > avc_has_perm() can be used with any pair of security contexts.  Typical
> > usage is to pass the security context of a subject/process as the first
> > argument, but not always (e.g. there are some permission checks that
> > control inter-object relationships), and that is not a requirement.
>
> Example usage of the userspace AVC can be found in the XSELinux
> extension, see:
> http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinux_hooks.c
> http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinuxint.h
>
> The modern usage is to call:
> 1) selinux_set_callback() to set up the callback functions for
> libselinux to use for logging/auditing or to notify the application of
> changes to enforcing mode or policy.
> 2) selinux_set_mapping() to set up a dynamic mapping for the object
> classes and permissions so that your application does not depend on
> fixed values for them in the policy, and
> 3) avc_open() to initialize the AVC.
>
> Then you can proceed to call avc_context_to_sid() and avc_has_perm() as
> appropriate.
>
> If you don't need caching, you can directly call security_compute_av();
> however this pushes responsibility for checking the particular
> permission bit, checking for and handling permissive mode/domains, and
> generating an avc audit message to your application.   There has been a
> prior request to introduce a simpler interface for programs that do not
> require caching, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=518268
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 3512 bytes --]

Re: access decision API

[Stephen Smalley]

On Wed, 2010-01-27 at 18:10 +0330, michel m wrote:
> thanks for guidance, but here I am with a question. what should be
> used as object class in avc_has_perm(3) when using it for
> inter-object. is there any sample for inter-object access decision?
> can it be null?

The class value would be the class of the target object.
Example in the kernel:
 return avc_has_perm(newsid, sbsec->sid,
                            SECCLASS_FILESYSTEM,
                            FILESYSTEM__ASSOCIATE, &ad);

This controls the relationship between a file security context and the
security context of the containing filesystem.

> 
> on the other hand, access decision taken by avc_has_perm(), does it
> include MLS too?
> 
> regards.
> 
> On Wed, Jan 27, 2010 at 1:26 AM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>         
>         On Tue, 2010-01-26 at 16:34 -0500, Stephen Smalley wrote:
>         > On Wed, 2010-01-27 at 00:50 +0330, michel m wrote:
>         > > Hi,
>         > > I have some data in userspace that I am keeping its
>         security
>         > > context.but as I want to write this data on some file in
>         OS, I need to
>         > > consult with security server if such data is allowed to be
>         written on
>         > > the file.
>         > > I would like to know if there is any API that let me do
>         such a
>         > > scenario, that is input source and destination security
>         context (both
>         > > of them security context,not a domain context) and returns
>         access
>         > > decision. I am familiar with avc_has_perm(3), but seems to
>         be not
>         > > correct solution because it gets domain context as the
>         first argument.
>         >
>         > avc_has_perm() can be used with any pair of security
>         contexts.  Typical
>         > usage is to pass the security context of a subject/process
>         as the first
>         > argument, but not always (e.g. there are some permission
>         checks that
>         > control inter-object relationships), and that is not a
>         requirement.
>         
>         
>         Example usage of the userspace AVC can be found in the
>         XSELinux
>         extension, see:
>         http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinux_hooks.c
>         http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinuxint.h
>         
>         The modern usage is to call:
>         1) selinux_set_callback() to set up the callback functions for
>         libselinux to use for logging/auditing or to notify the
>         application of
>         changes to enforcing mode or policy.
>         2) selinux_set_mapping() to set up a dynamic mapping for the
>         object
>         classes and permissions so that your application does not
>         depend on
>         fixed values for them in the policy, and
>         3) avc_open() to initialize the AVC.
>         
>         Then you can proceed to call avc_context_to_sid() and
>         avc_has_perm() as
>         appropriate.
>         
>         If you don't need caching, you can directly call
>         security_compute_av();
>         however this pushes responsibility for checking the particular
>         permission bit, checking for and handling permissive
>         mode/domains, and
>         generating an avc audit message to your application.   There
>         has been a
>         prior request to introduce a simpler interface for programs
>         that do not
>         require caching, see:
>         https://bugzilla.redhat.com/show_bug.cgi?id=518268
>         
>         
>         --
>         Stephen Smalley
>         National Security Agency
>         
>         
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: access decision API

[Stephen Smalley]

On Wed, 2010-01-27 at 18:10 +0330, michel m wrote:
> thanks for guidance, but here I am with a question. what should be
> used as object class in avc_has_perm(3) when using it for
> inter-object. is there any sample for inter-object access decision?
> can it be null?
> 
> on the other hand, access decision taken by avc_has_perm(), does it
> include MLS too?

Yes, the avc_has_perm() or security_compute_av() decision takes into
account all policy models implemented within the security server,
including RBAC, TE, and MLS.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: access decision API

[michel m]

[-- Attachment #1: Type: text/plain, Size: 1176 bytes --]

as the last question,
what I need, is to ask the security server if a data residing in userspace
owning a context, can be written to a file in OS.
does it make sense if I do it in this way :
    avc_has_perm(data_sid  ,file_sid,  SECLASS_FILE , null, null)

I am confused, because I guessed using such a syntax means if a process is
able to write to file, but here we are going to check if data can be *written
*to file.

if everything ok, how the action is specified, that is write?
Regards.


On Wed, Jan 27, 2010 at 10:03 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Wed, 2010-01-27 at 18:10 +0330, michel m wrote:
> > thanks for guidance, but here I am with a question. what should be
> > used as object class in avc_has_perm(3) when using it for
> > inter-object. is there any sample for inter-object access decision?
> > can it be null?
> >
> > on the other hand, access decision taken by avc_has_perm(), does it
> > include MLS too?
>
> Yes, the avc_has_perm() or security_compute_av() decision takes into
> account all policy models implemented within the security server,
> including RBAC, TE, and MLS.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: Type: text/html, Size: 1667 bytes --]

Re: access decision API

[Stephen Smalley]

On Sat, 2010-01-30 at 12:03 +0330, michel m wrote:
> as the last question, 
> what I need, is to ask the security server if a data residing in
> userspace owning a context, can be written to a file in OS.
> does it make sense if I do it in this way :
>     avc_has_perm(data_sid  ,file_sid,  SECLASS_FILE , null, null)
> 
> I am confused, because I guessed using such a syntax means if a
> process is able to write to file, but here we are going to check if
> data can be written to file.
> 
> if everything ok, how the action is specified, that is write?

I would recommend defining a new security class and permission for your
purpose to avoid confusion with existing ones and to avoid conflicts
with any future additions to the existing ones.  You can define new
classes and permissions by adding them to the security_classes and
access_vectors files under refpolicy/policy/flask in the reference
policy.  Then you can define your own SECCLASS_FOO and FOO__WRITE
definitions, and establish a mapping via selinux_set_mapping().

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.