target context of security:setbool permission check

target context of security:setbool permission check

[Christian Göttsche]

Hi,

currently the target context of the security:setbool permission check
is hardcoded to the security-initial-sid.[1][2]
Nowadays it is possible to label the boolean pseudo files via genfscon.

Is this by design or did nobody yet make it possible to base the check
on the actual file-context?

Or is the current access limitation to booleans via the file:write
permission to the boolean pseudo-files sufficient?


[1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
[2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290

Re: target context of security:setbool permission check

[Dominick Grift]

Christian Göttsche <cgzones@googlemail.com> writes:

> Hi,
>
> currently the target context of the security:setbool permission check
> is hardcoded to the security-initial-sid.[1][2]
> Nowadays it is possible to label the boolean pseudo files via genfscon.
>
> Is this by design or did nobody yet make it possible to base the check
> on the actual file-context?
>
> Or is the current access limitation to booleans via the file:write
> permission to the boolean pseudo-files sufficient?

From my experience blocking write access to the bool file is sufficient

>
>
> [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
> [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290

-- 
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

Re: target context of security:setbool permission check

[Stephen Smalley]

On Mon, Mar 2, 2020 at 10:44 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Hi,
>
> currently the target context of the security:setbool permission check
> is hardcoded to the security-initial-sid.[1][2]
> Nowadays it is possible to label the boolean pseudo files via genfscon.
>
> Is this by design or did nobody yet make it possible to base the check
> on the actual file-context?
>
> Or is the current access limitation to booleans via the file:write
> permission to the boolean pseudo-files sufficient?

I would think the file write check suffices if you want that level of
granularity, while keeping the setbool check as
a coarse-grained control over who can set booleans at all.  setbool is
also used to control the ability to commit
pending bools.  Most of the security permissions predate selinuxfs
itself and harken back to the original system call interface
although that wouldn't be the case for booleans.



>
>
> [1]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1234
> [2]: https://github.com/torvalds/linux/blob/b1dba2473114588be3df916bf629a61bdcc83737/security/selinux/selinuxfs.c#L1290