SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: latest diff This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Wed, 23 Mar 2005 08:51:29 -0500 On Wed, 2005-03-23 at 12:10 +0100, Thomas Bleher wrote: > Would it be possible to decompose sys_admin into a set of selinux > permissions? I think this would be the best solution. > Probably difficult with the current design, but maybe capable() could > get a second parameter specifying what type of access is to be granted, > or the code could call an lsm function in addition to the capable() > call. > Is this doable? Yes, feel free to suggest/submit patches (to the lsm mailing list and lkml) to add new LSM hooks to code where the existing capable call provides insufficient granularity, and then move the capable call into the hook function implementation for the dummy and capability modules. The goal should be to replace capable() calls with more flexible LSM hooks wherever it makes sense to do so, but doing that completely in the first round of LSM was viewed as impractical (e.g. >500 calls to capable in the kernel tree). Then for SELinux, you can define new permissions in the system class or create new classes as appropriate to provide finer-grained controls. Another item that ultimately needs to be addressed is the mapping of device and filesystem ioctls to more general permission check calls to the security module, so that interpretation can remain in the device and filesystem code but reasonable controls can be applied by security policies. This would be similar to what James Morris did for the netlink message types, although that presently relies on maintaining a separate netlink message type table for SELinux (which may be a maintenance problem in the long term, and certainly won't scale for ioctls). Another fun task would be to provide _real_ labeling and control of devices, not just device nodes in the filesystem, so that the ability to create device nodes doesn't allow one to sidestep access controls based on the device type. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 23 Mar 2005 - 08:59:12 EST This message: [ Message body ] Next message: Daniel J Walsh: "Re: You mentioned somewhere there is a step by step guide to getting the MLS policy installed on a machine?" Previous message: Stephen Smalley: "Re: Reloading Policy?" In reply to: Thomas Bleher: "Re: latest diff" Next in thread: Russell Coker: "Re: latest diff" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom