Re: file_type_auto_trans is not sufficient

[Chad Sellers <chad@xxxxxxxxxxxxxx>]

On May 31, 2005, at 5:21 PM, Luke Kenneth Casson Leighton wrote:


> On Tue, May 31, 2005 at 10:57:20AM -0400, Ivan Gyurdiev wrote:
>
>
> > > The other option, of course, is to change the applications to use/ 
> > > create many
> > > more directories, each with a separate type to allow the  
> > > file_type_auto_trans
> > > rules to work. Your orbit example might mean that there is a /tmp/ 
> > > orbit
> > > directory where all orbit files are created.
> >
> > The problem is not multiple source domains - that can be addressed
> > through macros. The problem is that those domains use the same  
> > directory
> > (Usually /tmp, or /home), for their own purposes, and they need  
> > the same
> > transition (same directory and target class (dir/file)).
> >
> > Because you can have only one transition, this creates a problem.
>
>  ...
>
>  thinking "sideways" again - as i am wont to do.
>
>  how about... a "sideways" solution to this - at the kernel level?
>
>  a "silent" redirection / remount, on a per-application basis?
>
>  no, i'm not joking.
>
>  an option to "mount" which allows a specific APPLICATION (or group of
>  applications) to have any files/directories it creates/accesses in a
>  subdirectory ACTUALLY occur ELSEWHERE.
>
>  e.g.:
>
>  mount -o redirectexe=/usr/bin/mozilla-firefox /tmp /tmp/mozilla
>  mount -o redirectexe=/usr/bin/gnomeshite,/usr/bin/gnomemoreshite / 
> tmp /tmp/gconf
>
>  hm, that could get out-of-hand - the number of programs involved
>  that would need redirection..
>
>  *thinks* ... some other mechanism for "grouping" executables...
>
>  you could even hang it off of an selinux context (!) or selinux  
> domain
>  (!) such that a set of executables, possibly those executed by
>  certain users, would result in filesystem redirection - but not  
> others.
>
>  at your own discretion.
>
>  then, you _could_ specify /tmp/gconf equals "a different file  
> context".

Something like this already exists in userspace, though it's not  
entirely transparent.  The polyinsantiation library I posted a couple  
of weeks ago allows applications to bind mount (in a private  
namespace) member directories according to policy (type member  
rules).  This is mostly thought of as useful for user separation, but  
it can separate any types.  So, add a short wrapper program to call  
security_setupns() (from my patch) around mozilla and appropriate  
policy, and mozilla can have a private /tmp.  (note:  the wrapper  
would need to link any important files out of the original /tmp, such  
as X11 sockfiles).

That said, this doesn't solve Ivan's problem.  You still have a  
single application (gconfd in his example) creating /tmp/gconfd and / 
tmp/orbit, with only one type transition rule allowed.  You can't  
mount /tmp/gconfd over /tmp for portions of execution, and then /tmp/ 
orbit over /tmp for other parts of execution.

Chad



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.