* [PATCH v2] selinux-notebook: describe nosuid and NNP transitions
@ 2021-06-27 20:28 Topi Miettinen
2021-07-13 2:22 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Topi Miettinen @ 2021-06-27 20:28 UTC (permalink / raw)
To: selinux; +Cc: Topi Miettinen
Describe cases where nosuid_transition or nnp_transition are needed.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
src/computing_security_contexts.md | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index bb946b5..ca514d7 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -84,7 +84,18 @@ Processes inherit their security context as follows:
*default_type* (policy version 28) or if a security-aware process,
by calling ***setexeccon**(3)* if permitted by policy prior to
invoking exec.
-3. At any time, a security-aware process may invoke ***setcon**(3)* to
+3. If the loaded SELinux policy has the nnp_nosuid_transition policy
+ capability enabled there are potentially two additional permissions
+ that are required to permit a domain transition: nosuid_transition
+ for nosuid mounted filesystems, and nnp_transition for for threads
+ with the no_new_privs flag. If nnp_nosuid_transition policy
+ capability is disabled, such domain transitions are denied but
+ bounded domain transitions are still allowed. In bounded
+ transitions, target domain is only allowed a subset of the
+ permissions of the source domain. See also
+ [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
+ section.
+4. At any time, a security-aware process may invoke ***setcon**(3)* to
switch its security context (if permitted by policy) although this
practice is generally discouraged - exec-based transitions are
preferred.
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] selinux-notebook: describe nosuid and NNP transitions
2021-06-27 20:28 [PATCH v2] selinux-notebook: describe nosuid and NNP transitions Topi Miettinen
@ 2021-07-13 2:22 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2021-07-13 2:22 UTC (permalink / raw)
To: Topi Miettinen; +Cc: selinux
On Sun, Jun 27, 2021 at 4:29 PM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Describe cases where nosuid_transition or nnp_transition are needed.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
> src/computing_security_contexts.md | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
Merged with some minor typo fixes - thanks for your help and patience Topi!
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-13 2:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-27 20:28 [PATCH v2] selinux-notebook: describe nosuid and NNP transitions Topi Miettinen
2021-07-13 2:22 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).