From: Paul Moore <paul@paul-moore.com>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] selinux-notebook: describe nosuid and NNP transitions
Date: Thu, 17 Jun 2021 23:50:54 -0400 [thread overview]
Message-ID: <CAHC9VhQt=ytU11Gk8hOx1G14bQz9o8RvJHr6VJh8+Y6Tmc5xqg@mail.gmail.com> (raw)
In-Reply-To: <20210612081403.16732-1-toiwoton@gmail.com>
On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Describe cases where nosuid_transition or nnp_transition are needed.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
> src/computing_security_contexts.md | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
> index bb946b5..7bd1d87 100644
> --- a/src/computing_security_contexts.md
> +++ b/src/computing_security_contexts.md
> @@ -84,7 +84,14 @@ Processes inherit their security context as follows:
> *default_type* (policy version 28) or if a security-aware process,
> by calling ***setexeccon**(3)* if permitted by policy prior to
> invoking exec.
> -3. At any time, a security-aware process may invoke ***setcon**(3)* to
> +3. If the file system is mounted with *nosuid* flag, type transitions
> + require permission *nosuid_transition*. If the thread has
> + *no_new_privs* attribute set, the transition requires
> + *nnp_transition*. For both transitions, policy capability
> + *nnp_nosuid_transition* is also required. See also
> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
> + section.
Thanks for adding this text, however I might suggest the following changes:
"If the loaded SELinux policy has the nnp_nosuid_transition policy
capability enabled there are potentially two additional permissions
that are required to permit a domain transition: nosuid_transition for
nosuid mounted filesystems, and nnp_transition for for threads with
the no_new_privs flag."
... does that make sense?
> +4. At any time, a security-aware process may invoke ***setcon**(3)* to
> switch its security context (if permitted by policy) although this
> practice is generally discouraged - exec-based transitions are
> preferred.
> --
> 2.30.2
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2021-06-18 3:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-12 8:14 [PATCH] selinux-notebook: describe nosuid and NNP transitions Topi Miettinen
2021-06-18 3:50 ` Paul Moore [this message]
2021-06-18 18:09 ` Topi Miettinen
2021-06-18 19:32 ` Paul Moore
2021-06-18 20:37 ` Topi Miettinen
2021-06-19 7:43 ` Topi Miettinen
2021-06-21 14:09 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhQt=ytU11Gk8hOx1G14bQz9o8RvJHr6VJh8+Y6Tmc5xqg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.