[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Alternative user management approach

To: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Subject: Re: Alternative user management approach
From: Russell Coker <russell@xxxxxxxxxxxx>
Date: Mon, 27 Jun 2005 12:24:58 +1000
Cc: selinux@xxxxxxxxxxxxx
In-reply-to: <20050626174616.48163.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <20050626174616.48163.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: russell@xxxxxxxxxxxx
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: KMail/1.8.1

On Monday 27 June 2005 03:46, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote:
> > > How does all this work with MLS ranges?
> >
> > How does it cause problems with MLS?
>
> Maybe it doesn't. On the other hand, can you
> explain how it might work if you have a user
> (I'll call him Barney today) who is cleared
> to Secret in compartment A17 and B43? Do we
> have to have a seperate role for Secret,A17
> and Secret,B32 or do we need SELinux users
>
>    Barney,Unclassified
>    Barney,Secret
>    Barney,Secret,A17
>    Barnet,Secret,B43
>    Barney,Secret,A17,B43

So the issue that you are raising is that the number of combinations of MLS 
clearance is potentially 2^(number of categories) * (number of levels) which 
is much greater than 2^(number of roles in strict policy), and that the 
number of such combinations which is desired in MLS may be significantly 
greater than the number of role combinations which are desired with a strict 
policy.

This will make management a little more complex, but I don't imagine that the 
situation of having the number of SE Linux identities approaching the number 
of Unix accounts will be common.  I expect that in most real systems they 
usually choose a category of access to grant each user as assigning access 
individually to each user is more effort.

For the case where each Unix user has a discrete set of access rights the 
administrator would just do exactly what they do today.  Their security 
policy merely prevents them from taking advantage of the new feature which we 
are designing.  It's not a problem of the feature, just a fact that it won't 
be useful for everyone.

> > Unix account names not UIDs. I think a mapping file
> > is the only way.
>
> Names not numbers, definitly.

Although there is something to be said for using GID numbers.  If you have 
number 500 in your GID field in /etc/passwd and there are two entries for 500 
in /etc/group then things can be ambiguous if using the group name.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: Alternative user management approach
  - From: Casey Schaufler

References:
- Re: Alternative user management approach
  - From: Casey Schaufler

Prev by Date: Execmem boolean
Next by Date: Re: Alternative user management approach
Previous by thread: Re: Alternative user management approach
Next by thread: Re: Alternative user management approach
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.