link between roles and domains

link between roles and domains

[Guillaume PETITJEAN]

Hello,

I'm new to SELinux.

I have a question regarding the management of users and roles.

I understood that a user is associated with a role (or several roles) 
and that each role is allowed to enter a set of domain. I understood  
how access control permissions are defined on couple of domains and the 
process of domain transitions. But I didn't understand which domain 
(among the set of domains allowed for a role) is selected at any time.

In other terms let's say you have a process foo belonging to the role 
user_r and suppose user_r is allowed for (domain1_t, domain2_t, 
domain3_t), how does the policy decides to which domain will belong the 
process in practice in order to compute security decisions ?

Thanks

Guillaume Petitjean


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: link between roles and domains

[Stephen Smalley]

On Mon, 2005-11-21 at 09:22 +0100, Guillaume PETITJEAN wrote:
> Hello,
> 
> I'm new to SELinux.
> 
> I have a question regarding the management of users and roles.
> 
> I understood that a user is associated with a role (or several roles) 
> and that each role is allowed to enter a set of domain. I understood  
> how access control permissions are defined on couple of domains and the 
> process of domain transitions. But I didn't understand which domain 
> (among the set of domains allowed for a role) is selected at any time.
> 
> In other terms let's say you have a process foo belonging to the role 
> user_r and suppose user_r is allowed for (domain1_t, domain2_t, 
> domain3_t), how does the policy decides to which domain will belong the 
> process in practice in order to compute security decisions ?

The security context of a user process is set up by some "entrypoint"
program, like login or sshd, by querying libselinux for an ordered list
of reachable security contexts from the entrypoint process for the user.
libselinux consults the kernel security server via selinuxfs as well as
a default_contexts configuration to generate and order this list.  The
kernel security server computes reachability based on process transition
permission from the context of the entrypoint process to contexts for
the user.

Once the security context has been initially set for the user process,
any subsequent domain transitions are governed by the policy based on
the usual (file:execute, process:transition, file:entrypoint) triple.
Any accesses by a process are governed by the domain stored in its
security context.  A process may only have a single domain in its
security context at any given time.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: link between roles and domains

[Karl MacMillan]

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
> Behalf Of Stephen Smalley
> Sent: Monday, November 28, 2005 10:46 AM
> To: Guillaume PETITJEAN
> Cc: selinux
> Subject: Re: link between roles and domains
> 
> On Mon, 2005-11-21 at 09:22 +0100, Guillaume PETITJEAN wrote:
> > Hello,
> >
> > I'm new to SELinux.
> >
> > I have a question regarding the management of users and roles.
> >
> > I understood that a user is associated with a role (or several roles)
> > and that each role is allowed to enter a set of domain. I understood
> > how access control permissions are defined on couple of domains and the
> > process of domain transitions. But I didn't understand which domain
> > (among the set of domains allowed for a role) is selected at any time.
> >
> > In other terms let's say you have a process foo belonging to the role
> > user_r and suppose user_r is allowed for (domain1_t, domain2_t,
> > domain3_t), how does the policy decides to which domain will belong the
> > process in practice in order to compute security decisions ?
> 
> The security context of a user process is set up by some "entrypoint"
> program, like login or sshd, by querying libselinux for an ordered list
> of reachable security contexts from the entrypoint process for the user.
> libselinux consults the kernel security server via selinuxfs as well as
> a default_contexts configuration to generate and order this list.  The
> kernel security server computes reachability based on process transition
> permission from the context of the entrypoint process to contexts for
> the user.
> 
> Once the security context has been initially set for the user process,
> any subsequent domain transitions are governed by the policy based on
> the usual (file:execute, process:transition, file:entrypoint) triple.
> Any accesses by a process are governed by the domain stored in its
> security context.  A process may only have a single domain in its
> security context at any given time.
> 

These slides give an overview of domain transitions and include information
about how users and roles further restrict the allowed domain transitions.
http://www.tresys.com/files/course/03-PolicyConcepts.pdf. They are part of
our SELinux training (more info and the rest of the slides are at
http://www.tresys.com/selinux/).

Karl

------
Karl MacMillan
Tresys Technology
http://www.tresys.com

> --
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: link between roles and domains

[Guillaume PETITJEAN]

Thank you for your answer.

It's basically what I understood and I'm still missing something : in 
the example policy (may be it is not representative of a real system ?) 
there are very few role transitions. And domain transition rules don't 
take into account the role. Then it seems to me that once a process has 
been associated the first time to a domain (the domain of the first 
security context in the default_contexts list) its role isn't used 
anymore since only domain transitions occur. Or do roles only aim to 
define the first domain of a process ?
Where is my mistake ?

Cheers,
Guillaume

Stephen Smalley wrote:

>On Mon, 2005-11-21 at 09:22 +0100, Guillaume PETITJEAN wrote:
>  
>
>>Hello,
>>
>>I'm new to SELinux.
>>
>>I have a question regarding the management of users and roles.
>>
>>I understood that a user is associated with a role (or several roles) 
>>and that each role is allowed to enter a set of domain. I understood  
>>how access control permissions are defined on couple of domains and the 
>>process of domain transitions. But I didn't understand which domain 
>>(among the set of domains allowed for a role) is selected at any time.
>>
>>In other terms let's say you have a process foo belonging to the role 
>>user_r and suppose user_r is allowed for (domain1_t, domain2_t, 
>>domain3_t), how does the policy decides to which domain will belong the 
>>process in practice in order to compute security decisions ?
>>    
>>
>
>The security context of a user process is set up by some "entrypoint"
>program, like login or sshd, by querying libselinux for an ordered list
>of reachable security contexts from the entrypoint process for the user.
>libselinux consults the kernel security server via selinuxfs as well as
>a default_contexts configuration to generate and order this list.  The
>kernel security server computes reachability based on process transition
>permission from the context of the entrypoint process to contexts for
>the user.
>
>Once the security context has been initially set for the user process,
>any subsequent domain transitions are governed by the policy based on
>the usual (file:execute, process:transition, file:entrypoint) triple.
>Any accesses by a process are governed by the domain stored in its
>security context.  A process may only have a single domain in its
>security context at any given time.
>
>  
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: link between roles and domains

[Stephen Smalley]

On Mon, 2005-11-28 at 17:45 +0100, Guillaume PETITJEAN wrote:
> It's basically what I understood and I'm still missing something : in 
> the example policy (may be it is not representative of a real system ?) 
> there are very few role transitions. And domain transition rules don't 
> take into account the role. Then it seems to me that once a process has 
> been associated the first time to a domain (the domain of the first 
> security context in the default_contexts list) its role isn't used 
> anymore since only domain transitions occur. Or do roles only aim to 
> define the first domain of a process ?
> Where is my mistake ?

The role is primarily a way of organizing sets of domains for user
authorization.  We expect role transitions to be relatively rare (in
comparison to domain transitions) and usually explicitly requested by
the user or program (ala login or newrole) rather than automatic upon
program execution.  Automatic role transitions are primarily a
concession to compatibility (e.g. manual execution of init scripts and
restart of daemons by admins or by package scriptlets).

The role does act as a limit on what domains can be associated with the
process; the user-role relation and the role-domain relation are checked
for every security context, so a process can never transition to a
context with a domain that is not authorized for the role in that
context.  However, this is a weak barrier, as that process might still
be able to influence the target domain if it is allowed to do other
operations on the domain by the TE policy, so it is generally not a good
idea to rely on the role-domain relation alone to isolate domains.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.