SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Removing DAC. This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Mon, 24 Mar 2008 13:45:13 -0400 On Mon, 2008-03-24 at 14:29 -0300, cinthya aranguren wrote: > On Sun, Mar 23, 2008 at 2:40 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > --- Casey Schaufler <casey@schaufler-ca.com> wrote: > > > > > > > > --- cinthya aranguren <cinthya.aranguren@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > Is there any way to avoid o remove DAC controls ? I'd like to have only one > > > > security scheme in my system. I mean a pure SElinux system. not DAC + MAC. > > > > only MAC. > > > > > > No. > > > > > > Well, not today. > > > > I will add that if every process runs with CAP_DAC_OVERRIDE set > > you can approach "no DAC", but I think you would probably have > > to dig very deeply into the behavior of security cognizant > > applications (sendmail comes to mind) and make sure that they > > aren't explictly dropping that capability. I will let those > > who work more closely with SELinux policy than I do describe > > how capabilities possessed are related to an SELinux policy > > and how that might impact the behavior of SELinux. You should > > also note that SELinux takes what are traditionally DAC > > attributes into account when making decisions and that if you > > use MCS you are using a DAC mechanism within SELinux. I'm not > > saying that's bad, just that it's there. > > > > This is a good point. I will experiment with CAP_DAC_OVERRIDE. > but .. why SELinux take DAC attributes into account when making > decisions ?? this does not violate the separation of "policy" from > "Enforcement" ?? SELinux does not use the DAC attributes (uid, gid, mode bits) as part of its decision. SELinux does however control the use of capabilities/privileges in accordance with its policy. And it does have a notion of user identity in its security context, although that is separately managed and is usually used just as a "role set" construct in modern SELinux (e.g. staff_u authorized for staff_r and sysadm_r). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 24 Mar 2008 - 13:47:09 EDT This message: [ Message body ] Next message: cinthya aranguren: "Re: Removing DAC." Previous message: Steve G: "Re: Permissive mode for xace is broken." In reply to: cinthya aranguren: "Re: Removing DAC." Next in thread: Casey Schaufler: "Re: Removing DAC." Reply: Casey Schaufler: "Re: Removing DAC." Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom