Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg

On 11/9/06, Stephen Smalley <[email protected]> wrote:

Unless I missed something, your plan above would disable SELinux
syslog-related permission checking upon reads of a previously opened
file descriptor to /proc/kmsg.  So it would change SELinux behavior in a
way that is directly contrary to the notion of mandatory access control.

Yes, it would do that; no, I don't see why that change is contrary to
the notion of mandatory access control.  An open fd on /proc/kmsg
(with my changes applied) offers strictly fewer privileges than
SYSTEM__SYSLOG_MOD (no access to opcodes 4 and 5), and with SELinux
active, you can't get that open fd without having had
SYSTEM__SYSLOG_MOD at some prior time.  SELinux does not (as far as I
can tell) do MAC checks for access to normal files at read() time,
only open().

I see this as bringing /proc/kmsg in line with standard Unix file
permission semantics, overall.

Part 4 appears to further expose /proc/kmsg to access by any uid 0
process even if it has no capabilities (think privilege shedding or
containers).

Only in the default privilege model, not in SELinux.  (CAP_SYS_ADMIN
is a hell of a lot more powerful than SYSTEM__SYSLOG_MOD.)  And I
could be talked out of part 4.

But having a mapping in the core to a much
smaller set of permissions would be even better, and help with
maintenance; the next time someone added a new code, they would more
likely see the mapping table in the core and update it than go digging
into the individual security modules.

But that mapping is itself a security policy decision, and could
plausibly need to be done differently in different security modules...

zw
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Stephen Smalley <[email protected]>

• References:
  • RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: "Zack Weinberg" <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Chris Wright <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Sergey Vlasov <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Chris Wright <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Stephen Smalley <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: "Zack Weinberg" <[email protected]>
  • Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
    • From: Stephen Smalley <[email protected]>

• Prev by Date: Re: Abysmal PATA IDE performance
• Next by Date: Re: XFS filesystem performance drop in kernels 2.6.16+
• Previous by thread: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
• Next by thread: Re: RFC PATCH: apply security_syslog() only to the syslog() syscall, not to /proc/kmsg
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]