[email@example.com: Re: dynamic context transitions]
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Mon Nov 1 18:34:15 GMT 2004
discussions on the selinux mailing list appear to be advocating
a patch to selinux which proposes to add [and the analogy is
incredibly loose] an seteuid-like functionality.
selinux doesn't have the concept of users: only what is called "domains"
[which are not to be confused with NT domains].
at present, the only way to transition between one domain and another is
to exec[v] another process: given the name of the executable doing the
exec'ing and also the name of the executable _being_ exec'd, the new
process obtains [transitions to] a predetermined set of permissions
[e.g. allow read access to samba config files, allow read write
remove and rename access on user files]
under the proposed modifications to selinux, an _existing_ process can
(if it has permission) obtain [transition to] a new set of permissions.
hence, at the point where seteuid() is used in samba, a call to a
[proposed] SE/Linux function would allow samba to transition from one
domain [a root-only, configuration-file-accessing-only domain] to
another [a user-file-accessing domain].
this would be in become_user().
of course - unbecome_user() would also need to be able to
transition back again, using the same [proposed] function: just back
to the domain named oh i dunno "smbd_as_root_t" or something.
----- Forwarded message from Stephen Smalley <sds at epoch.ncsc.mil> -----
Envelope-to: lkcl at localhost
Delivery-date: Mon, 01 Nov 2004 18:21:48 +0000
X-Sieve: CMU Sieve 2.2
Subject: Re: dynamic context transitions
From: Stephen Smalley <sds at epoch.ncsc.mil>
To: Darrel Goeddel <dgoeddel at TrustedCS.com>
Cc: Luke Kenneth Casson Leighton <lkcl at lkcl.net>,
"selinux at tycho.nsa.gov" <selinux at tycho.nsa.gov>,
Chad Hanson <chanson at TrustedCS.com>,
James Morris <jmorris at redhat.com>
Organization: National Security Agency
X-hands-com-MailScanner: Found to be clean
X-MailScanner-From: sds at epoch.ncsc.mil
On Mon, 2004-11-01 at 11:23, Darrel Goeddel wrote:
> I have looked back on the threads involving smbd and famd and it does indeed
> seem that dynamic transitions may help to bring those applications to a
> "SELinux-aware" state. For instance, famd would be able to transition from its
> "standard domain" to a domain which would have the same file access as the user.
> Once in this domain, it would be able to leverage the kernel's access
> decisions because they will computed against the access rights of the user's
> type. I am not really familiar with the architecture and the specific problems
> of the daemons, so I don't want to throw out any specific advice on using
> dynamic transitions to SELinuxify the programs.
- Note that you would want to use a derived domain, e.g. smbd_user_t,
rather than the user domain itself, so that you could convey the same
file permissions (likely via a shared macro) without conveying any other
permissions associated with the user domain or exposing the smbd process
to other processes in the user domain. No need for a fsuid equivalent;
you can just use a derived domain and appropriate macros to convey the
right subset of permissions.
- In Fedora, gamin (http://www.gnome.org/~veillard/gamin) was created as
a replacement for famd that is more SELinux-friendly; you get one daemon
per user or per session rather than system-wide.
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
----- End forwarded message -----
you don't have to BE MAD | this space | my brother wanted to join mensa,
to work, but IT HELPS | for rent | for an ego trip - and get kicked
you feel better! I AM | can pay cash | out for a even bigger one.
More information about the samba-technical