Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: dynamic context transitions
From: Stephen Smalley <sds_at_epoch.ncsc.mil>
Date: Tue, 02 Nov 2004 10:33:17 -0500
Yes, I think one could build a "reasonable" system without support for runtime policy reloading or file relabeling. Further, in the absence of complete revocation support, one could argue that the system should omit these operations since it cannot guarantee their safety. You might argue that a "general purpose" system needs such operations. Are dynamic context transitions necessary for acceptability? I don't know the answer, but I do know that we have received far more requests for that functionality on this list (just to support legacy Unix/Linux applications) than we have ever received for conditional policy support.
> All of these mechanism are present to allow integration of SELinux with Yet even the exec-based transitions are strongly influenced by application compatibility concerns; otherwise, we would be purging the entire environment, resetting the namespace, etc. Some would argue that exec-based transitions are fundamentally flawed in any case where the new domain is more privileged than the calling domain due to the ability of the caller to influence the new domain via the implicitly inherited state, and an IPC-based model would be preferable so that all untrustworthy input is explicitly passed and can be vetted rather than implicitly conveyed and so that the initial state of the more trusted domain is always setup by a trustworthy process. But we obviously aren't going to mandate that model in the mechanism.
> Everyone seems to agree that dynamic context transitions are useful only We have the same concern, although I'm not certain that "everyone" agrees on the first point - my impression is that the Samba developers viewed our lack of a setfsuid-like operation as a defect in SELinux, and that TCS doesn't think that it is _always_ better to convert to an exec-based transition (and I would agree that you have to think about the trust boundary in doing so, as just splitting the code into a helper that is still completely controlled by inputs provided by the caller has only limited benefit). On the other hand, what happens if we simply reject this functionality? Will the developers of all of these "legacy" applications rush to restructure their applications to better support least privilege and isolation for SELinux? Or will they just leave them as they are, either not running on SELinux at all or running in a single domain with the maximal set of permissions required for operation all the time? Is that truly preferable? -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 2 Nov 2004 - 10:37:02 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |