Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC & PATCH] inherited type definition.
From: Stephen Smalley <sds_at_tycho.nsa.gov>
Date: Tue, 15 Mar 2005 09:42:31 -0500
I was thinking more of an example like:
> In user_t/user_ext_t example, user_ext_t is same as user_t without tiny difference. But if user_ext_t has more permissions than user_t, then allowing user_t to access user_ext_t in the same manner as it can access user_t means that a user_t process can effectively gain control of those same permissions too, just by transitioning to user_ext_t and running code in it or by ptrace'ing or otherwise acting upon a separate user_ext_t process. Thus, you gain nothing from having a separate user_ext_t type; there is no real protection/separation between user_t and user_ext_t, and you might as well directly allow the permissions to user_t. Why create a new type if you gain no security benefit?
> Common part of user_t and user_ext_t should have a permission for each other, I think. I'm not sure how you distinguish the "common part" from the "outbounds part". Is this a notion of "private" and "public" portions of a type definition?
> I want to reserve this matter once for a certain time. Ok, but we still need a way to make the "type...extends" feature practically useful by itself. As it stands, if you use it to define a more privileged child than the parent, the parent can easily take control of it and effectively gain those permissions too, so you might as well directly allow the permissions to the parent and not create the child at all. The only use it has in its current form is to create union types.
> In addition, it's possible not to decide a transition type/domain No, I think the multiple inheritance is useful, e.g. for the union file type case. Possibly we need a way to mark which parent should be used for inheriting type transitions. -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 15 Mar 2005 - 09:55:59 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |