Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Mon, 10 Dec 2007 16:27:48 -0500
security_kernel_act_as()
> I don't really know how nfsd wants to obtain and set its LSM context, so it's It would get a context from the client or from a local configuration that would map security-unaware clients to a default context, and then want to assume that context for the particular operation. No transition involved.
> > Why can't cachefilesd just push a context into the kernel and pass that
>From a config file whose pathname would be provided by libselinux (ala Naturally, cachefiles (the kernel module) would invoke a security hook to check whether the daemon is allowed to set the specified context.
> I use to do that, but someone objected... Possibly Karl MacMillan. Yes, but I think I disagreed then too.
> > and then nfsd can do likewise using the context provided by the client or It doesn't fit with how other users of security_kernel_act_as() will likely want to work (they will want to just set the context to a specified value, whether one obtained from the client or from some local source), nor with how type transitions normally work (exec, with the program type as the second type field). I think it will just cause confusion and subtle breakage. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 10 Dec 2007 - 16:27:51 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |