selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] selinux-notebook: describe nosuid and NNP transitions
@ 2021-06-27 20:28 Topi Miettinen
  2021-07-13  2:22 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Topi Miettinen @ 2021-06-27 20:28 UTC (permalink / raw)
  To: selinux; +Cc: Topi Miettinen

Describe cases where nosuid_transition or nnp_transition are needed.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 src/computing_security_contexts.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index bb946b5..ca514d7 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -84,7 +84,18 @@ Processes inherit their security context as follows:
    *default_type* (policy version 28) or if a security-aware process,
    by calling ***setexeccon**(3)* if permitted by policy prior to
    invoking exec.
-3. At any time, a security-aware process may invoke ***setcon**(3)* to
+3. If the loaded SELinux policy has the nnp_nosuid_transition policy
+   capability enabled there are potentially two additional permissions
+   that are required to permit a domain transition: nosuid_transition
+   for nosuid mounted filesystems, and nnp_transition for for threads
+   with the no_new_privs flag. If nnp_nosuid_transition policy
+   capability is disabled, such domain transitions are denied but
+   bounded domain transitions are still allowed. In bounded
+   transitions, target domain is only allowed a subset of the
+   permissions of the source domain.  See also
+   [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
+   section.
+4. At any time, a security-aware process may invoke ***setcon**(3)* to
    switch its security context (if permitted by policy) although this
    practice is generally discouraged - exec-based transitions are
    preferred.
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v2] selinux-notebook: describe nosuid and NNP transitions
  2021-06-27 20:28 [PATCH v2] selinux-notebook: describe nosuid and NNP transitions Topi Miettinen
@ 2021-07-13  2:22 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2021-07-13  2:22 UTC (permalink / raw)
  To: Topi Miettinen; +Cc: selinux

On Sun, Jun 27, 2021 at 4:29 PM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> Describe cases where nosuid_transition or nnp_transition are needed.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
>  src/computing_security_contexts.md | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)

Merged with some minor typo fixes - thanks for your help and patience Topi!

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-13  2:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-27 20:28 [PATCH v2] selinux-notebook: describe nosuid and NNP transitions Topi Miettinen
2021-07-13  2:22 ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).