* target context of security:setbool permission check
@ 2020-03-02 15:44 Christian Göttsche
2020-03-02 16:37 ` Dominick Grift
2020-03-02 18:56 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: Christian Göttsche @ 2020-03-02 15:44 UTC (permalink / raw)
To: selinux
Hi,
currently the target context of the security:setbool permission check
is hardcoded to the security-initial-sid.[1][2]
Nowadays it is possible to label the boolean pseudo files via genfscon.
Is this by design or did nobody yet make it possible to base the check
on the actual file-context?
Or is the current access limitation to booleans via the file:write
permission to the boolean pseudo-files sufficient?
[1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
[2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: target context of security:setbool permission check
2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche
@ 2020-03-02 16:37 ` Dominick Grift
2020-03-02 18:56 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2020-03-02 16:37 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux
Christian Göttsche <cgzones@googlemail.com> writes:
> Hi,
>
> currently the target context of the security:setbool permission check
> is hardcoded to the security-initial-sid.[1][2]
> Nowadays it is possible to label the boolean pseudo files via genfscon.
>
> Is this by design or did nobody yet make it possible to base the check
> on the actual file-context?
>
> Or is the current access limitation to booleans via the file:write
> permission to the boolean pseudo-files sufficient?
From my experience blocking write access to the bool file is sufficient
>
>
> [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
> [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290
--
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: target context of security:setbool permission check
2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche
2020-03-02 16:37 ` Dominick Grift
@ 2020-03-02 18:56 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2020-03-02 18:56 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Mon, Mar 2, 2020 at 10:44 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Hi,
>
> currently the target context of the security:setbool permission check
> is hardcoded to the security-initial-sid.[1][2]
> Nowadays it is possible to label the boolean pseudo files via genfscon.
>
> Is this by design or did nobody yet make it possible to base the check
> on the actual file-context?
>
> Or is the current access limitation to booleans via the file:write
> permission to the boolean pseudo-files sufficient?
I would think the file write check suffices if you want that level of
granularity, while keeping the setbool check as
a coarse-grained control over who can set booleans at all. setbool is
also used to control the ability to commit
pending bools. Most of the security permissions predate selinuxfs
itself and harken back to the original system call interface
although that wouldn't be the case for booleans.
>
>
> [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
> [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-03-02 18:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-02 15:44 target context of security:setbool permission check Christian Göttsche
2020-03-02 16:37 ` Dominick Grift
2020-03-02 18:56 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.