Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: dynamic context transitions
From: Stephen Smalley <sds_at_epoch.ncsc.mil>
Date: Fri, 05 Nov 2004 11:41:17 -0500
What about permanently shedding permissions after a certain point in processing within a program? What about an orthogonal transformation, e.g. adding permission to one type while removing permission to another type for least privilege purposes? I think that your model will prove too simplistic and inflexible.
> To me this is not policy, but definition of domain. The notion of domain type This is just another way of arguing aginst dynamic context transitions at all. A "domain" is a security equivalence class for processes. Whether or not it can change only at new-subject-creation time is another matter, and I don't think SELinux would be the first TE system to support dynamic changes in domain. Parallel: Files can be relabeled, not just assigned a label when they are created. Kernel imposes no inherent restriction on the relationship among those types; it just enforces the policy as defined.
> In fact we don't even have to have a permission to allow context change, there's I don't think this will meet the need, as above.
> The current proposal, if I understand correctly, will allow policy writers to Yes, the kernel mechanism is only restricted by the policy. What restrictions can/should be imposed by userspace can be investigated, but we don't have a clear answer presently, nor a clear sense that a single set of restrictions will properly cover every case.
> What I'm not entirely sure of is the best mechanisms: how much of this is Because the concept, as stated above, is really a policy decision. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Fri 5 Nov 2004 - 11:45:54 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |