[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dynamic context transitions

To: Stephen Smalley <sds@xxxxxxxxxxxxxx>
Subject: Re: dynamic context transitions
From: Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Date: Wed, 16 Feb 2005 14:08:49 +0000
Cc: SE-Linux <selinux@xxxxxxxxxxxxx>
In-reply-to: <1108559153.19756.49.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Mail-followup-to: Stephen Smalley <sds@xxxxxxxxxxxxxx>, SE-Linux <selinux@xxxxxxxxxxxxx>
References: <20050215213455.GF26294@xxxxxxxx> <1108559153.19756.49.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: Mutt/1.5.5.1+cvs20040105i

On Wed, Feb 16, 2005 at 08:05:53AM -0500, Stephen Smalley wrote:
> On Tue, 2005-02-15 at 16:34, Luke Kenneth Casson Leighton wrote:
> > i assume it _is_ necessary to perform dynamic auto transitions?
> > 
> > such that i can track to alternative contexts, yes?
> 
> No.  Dynamic transitions are always explicitly requested by
> applications, just like setuid(2) calls.  Since you must modify the
> application anyway to introduce the dynamic context transition (unlike
> an automatic transition upon an existing execve call), there is no such
> thing as an automatic dynamic transition.  

 the patch i created last night provides exactly that functionality.

 whether it's the right thing to do, and whether it checks appropriate 
 permissions or not is an entirely different matter :)

 i picked process:dyntransition and process:setcontext out of thin air,
 based on observing the use of allow $1 $3:process transition and
 allow $3 $2:file entrypoint in the domain_trans macro.

 heck, maybe it _should_ be process:dyntransition and process:entrypoint.

 ... i will wait until someone absorbs the impact and implications
 of the patch i created.

> Now, the issue of how to get
> the right new domain is another matter.  For user contexts, we want
> something akin to get_default_context().  

 yes.

 [i understand about get_default_context() only supporting
 transition not dyntransition]

> But in this case, you are
> again dealing with two fixed domains that are not associated with a
> user, 

 no, that's wrong.

 i _do_ need a domain which is associated with the user,
 in an easily derivable manner, that can be specified in the
 SE-Linux policy source.

 why?

 in order to be able to restrict users from logging in on a per-IP
 basis.

 e.g. so restricted_user1 can ONLY ssh in from 192.168.0.223, because
 i set up a net_context that said so, and associated
 sshd_priv_restricted_user1_t with that network context

 (instead of using the can_network() macro, i'd use a hacked version
  of can_network())

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: dynamic context transitions
  - From: Stephen Smalley

References:
- dynamic context transitions
  - From: Luke Kenneth Casson Leighton
- Re: dynamic context transitions
  - From: Stephen Smalley

Prev by Date: Re: sshd transition points
Next by Date: Re: dynamic context transitions
Previous by thread: Re: dynamic context transitions
Next by thread: Re: dynamic context transitions
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.