[sds@epoch.ncsc.mil: Re: dynamic context transitions]

Luke Kenneth Casson Leighton lkcl at lkcl.net
Mon Nov 1 18:34:15 GMT 2004

discussions on the selinux mailing list appear to be advocating
a patch to selinux which proposes to add [and the analogy is
incredibly loose] an seteuid-like functionality.

selinux doesn't have the concept of users: only what is called "domains"
[which are not to be confused with NT domains].

at present, the only way to transition between one domain and another is
to exec[v] another process: given the name of the executable doing the
exec'ing and also the name of the executable _being_ exec'd, the new
process obtains [transitions to] a predetermined set of permissions
[e.g. allow read access to samba config files, allow read write
 remove and rename access on user files]

under the proposed modifications to selinux, an _existing_ process can
(if it has permission) obtain [transition to] a new set of permissions.

hence, at the point where seteuid() is used in samba, a call to a
[proposed] SE/Linux function would allow samba to transition from one
domain [a root-only, configuration-file-accessing-only domain] to
another [a user-file-accessing domain].

this would be in become_user().

of course - unbecome_user() would also need to be able to
transition back again, using the same [proposed] function: just back
to the domain named oh i dunno "smbd_as_root_t" or something.


----- Forwarded message from Stephen Smalley <sds at epoch.ncsc.mil> -----

Envelope-to: lkcl at localhost
Delivery-date: Mon, 01 Nov 2004 18:21:48 +0000
X-Sieve: CMU Sieve 2.2
Subject: Re: dynamic context transitions
From: Stephen Smalley <sds at epoch.ncsc.mil>
To: Darrel Goeddel <dgoeddel at TrustedCS.com>
Cc: Luke Kenneth Casson Leighton <lkcl at lkcl.net>,
	"selinux at tycho.nsa.gov" <selinux at tycho.nsa.gov>,
	Chad Hanson <chanson at TrustedCS.com>,
	James Morris <jmorris at redhat.com>
Organization: National Security Agency
X-hands-com-MailScanner: Found to be clean
X-MailScanner-From: sds at epoch.ncsc.mil

On Mon, 2004-11-01 at 11:23, Darrel Goeddel wrote:
> I have looked back on the threads involving smbd and famd and it does indeed 
> seem that dynamic transitions may help to bring those applications to a 
> "SELinux-aware" state.  For instance, famd would be able to transition from its 
> "standard domain" to a domain which would have the same file access as the user. 
>   Once in this domain, it would be able to leverage the kernel's access 
> decisions because they will computed against the access rights of the user's 
> type.  I am not really familiar with the architecture and the specific problems 
> of the daemons, so I don't want to throw out any specific advice on using 
> dynamic transitions to SELinuxify the programs.

- Note that you would want to use a derived domain, e.g. smbd_user_t,
rather than the user domain itself, so that you could convey the same
file permissions (likely via a shared macro) without conveying any other
permissions associated with the user domain or exposing the smbd process
to other processes in the user domain.  No need for a fsuid equivalent;
you can just use a derived domain and appropriate macros to convey the
right subset of permissions.

- In Fedora, gamin (http://www.gnome.org/~veillard/gamin) was created as
a replacement for famd that is more SELinux-friendly; you get one daemon
per user or per session rather than system-wide.

Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

----- End forwarded message -----

you don't have to BE MAD   | this space    | my brother wanted to join mensa,
  to work, but   IT HELPS  |   for rent    | for an ego trip - and get kicked 
 you feel better!  I AM    | can pay cash  | out for a even bigger one.

More information about the samba-technical mailing list