Research
Skip Research Menus
Research MenuSecurity Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links |
SELinux Mailing ListRE: dynamic context transitions
From: Karl MacMillan <kmacmillan_at_tresys.com>
Date: Tue, 02 Nov 2004 17:06:27 -0500
These statements seem contradictory to me. If the trust is at the process boundary, then it is not possible to further reduce the trust within the same process image. Can you clarify?
> The privilege bracketing approach goes hand in hand Dropping privileges permanently is obviously preferable. The problem is that the current language has no concept of hierarchical domains and it will take very careful policy development to ensure that a context change is really dropping privileges instead of trading one set of privileges for another. Fundamentally, the problem seems to be the ability of code in one domain to execute arbitrary code in another domain. In certain circumstances you can try to make certain that the new domain only has less access, but there is no strong guarantee. This seems like a good argument for the language changes that Frank discussed with you in other emails, even though that is not likely to provide any stronger guarantees.
> > It is not a straightforward answer I don't think. One reason I am able Ultimately, I am trying to make it clear that there is a difference between reducing the amount of trust given to an application and applying practical discretionary security measures. I haven't seen any arguments to lead me to conclude that dynamic context transitions are anything but the latter. If my assessment is correct, the union of the set of privileges given to the domains (which is what I meant by maximal permissions) defines the trust given to that application. In that case there is no reason, from a trust standpoint, to not give the application all of those privileges. There may be other practical reasons, of course. Karl
> -Chad -- Karl MacMillan Tresys Technology kmacmillan@tresys.com http://www.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 2 Nov 2004 - 17:07:28 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |