type bounds for files?

type bounds for files?

[Michal Svoboda]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

Hello,

let's say I have a www service that's run through apache/selinux+ with
its own domain say foo_t. The domain has write access to some files with
type foo_data_t (which is files_type) through an allow rule.

Now, due to the 'typebound httpd_t foo_t' rule used with apache domains,
I would normally also have to 'allow httpd_t foo_data_t : file ...'.

But today I saw another solution at work, which used an oddball rule
where the foo_data_t was type bounded by another files_type, something
like 'typebound http_user_data_t foo_data_t' (don't remember the
bounding type's name exactly). This would make the www service work the
expected way without the need for 'allow httpd_t foo_data_t : file ...'.

Is this a known behavior? What is the sense in typebounding file types?

Just for completeness this was on FC12 with targeted policy.

Michal Svoboda

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: type bounds for files?

[KaiGai Kohei]

(2010/12/16 5:37), Michal Svoboda wrote:
> Hello,
> 
> let's say I have a www service that's run through apache/selinux+ with
> its own domain say foo_t. The domain has write access to some files with
> type foo_data_t (which is files_type) through an allow rule.
> 
> Now, due to the 'typebound httpd_t foo_t' rule used with apache domains,
> I would normally also have to 'allow httpd_t foo_data_t : file ...'.
> 
> But today I saw another solution at work, which used an oddball rule
> where the foo_data_t was type bounded by another files_type, something
> like 'typebound http_user_data_t foo_data_t' (don't remember the
> bounding type's name exactly). This would make the www service work the
> expected way without the need for 'allow httpd_t foo_data_t : file ...'.
> 
> Is this a known behavior? What is the sense in typebounding file types?
> 
Yes, it is known. We had a similar discussion before:
  http://marc.info/?l=selinux&m=126771862818496&w=2

The type-boundary feature is originated from type-hierarchy feature
which has been supported in checkpolicy for several years.

Joshua said:
| The original hierarchy specified that if httpd_t had e.g., write access
| to httpd_sys_content_t then webapp_t could be given write access to
| webapp_content_t without httpd_t having direct access to webapp_content_t.
|
| This was done so that, in policy access controls, parents could be
| decoupled from children while still allowing child subjects to access
| child objects. One application of this was to have parents that,
| themselves, did not have access to children objects (or were not active
| at all).

It seems to me your use cases are right.
Maybe, the term of 'boundary' might make us hard to imagine this type
of functionality.

Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: type bounds for files?

[Michal Svoboda]

[-- Attachment #1: Type: text/plain, Size: 876 bytes --]

KaiGai Kohei wrote:
> > Is this a known behavior? What is the sense in typebounding file types?
> Yes, it is known. We had a similar discussion before:
>   http://marc.info/?l=selinux&m=126771862818496&w=2

I see. Unfortunately the selinux symposium pdf link at the end of the
message is broken. Do you have another link to that file?

I have also a few questions. Suppose that
 1) dom_A bounds dom_B
 2) file_A bounds file_B
 3) dom_A has a set of rights S1 for file_A
 4) dom_B has a set of rights S2 for file_B

What is then the resulting masked set for dom_B wrt file_B? S1 cap S2?

And does this principle (how?) extend to chained bounds (ie. A bounds B
which in turn bounds C).

And does it (semantically or otherwise) matter what kind of file_type
the file_A is? For example, is 'typebound tmp_t file_B' the same as
'typebound http_user_data_t file_B'?

Michal Svoboda

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: type bounds for files?

[Chad Sellers]

On 12/16/10 5:14 AM, "Michal Svoboda" <michal.svoboda@agents.felk.cvut.cz>
wrote:

> KaiGai Kohei wrote:
>>> Is this a known behavior? What is the sense in typebounding file types?
>> Yes, it is known. We had a similar discussion before:
>>   http://marc.info/?l=selinux&m=126771862818496&w=2
> 
> I see. Unfortunately the selinux symposium pdf link at the end of the
> message is broken. Do you have another link to that file?
> 
Sorry about that. We've had some domain management issues with the old
symposium site that we're currently working to resolve. In the mean time,
I'll send you (and anyone else who wants it) a copy directly.

Thanks,
Chad Sellers


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.