Re: [RFC] packet/socket owner match (fireflier) using skfilter

On Monday 03 April 2006 18:18, James Morris wrote:
> On Sun, 2 Apr 2006, Török Edwin wrote:
> > Before continuing the work on it, I ask for your advice, and comments on
> > what I've done so far.
>
> I would suggest dropping your LSM stuff and just using SELinux.  It's
> crazy to try and reinvent it.
I am not trying to reinvent SELinux. But I do not know how to accomplish what 
I want with SELinux.

Here it is what I want:
- have security labels applied to sockets based on their owners (ok, I guess 
SELinux does this by default)

- the security labels of processes be assigned based on their executable's 
inode+mountpoint.
Is there a way to do auto-labeling with SELinux? I mean having a security 
context applied based on the inode, without me having to run 'make relabel', 
setfiles, and so on....
Let's say I compile&install a program. Can it have a security label 
auto(magically) applied, based on the inode of its executable? (without 
recompiling, & reloading the policy)

(From my very limited understanding of SELinux, this would mean creating a 
context for each executable, that is altering the policy, if each executable 
needs to have a separate context. Is it possible to dinamically generate the 
context at runtime? Is it possible to integrate my autolabel.c with SELinux?)

It doesn't have to have a security label applied by its inode, but that is 
unique, I don't know how secure would it be to identify processes by path...

If the above is possible, could you please provide pointers to documentation?

How can I implement auto-labeling with SELinux? (is there a possibility to 
write some sort of plugins that provide this functionality?)

To sum up, I wrote my LSM stuff because I didn't know how to use SELinux to 
accomplish what I wanted. 
If it can be done with SELinux easily, I'm happy to switch to that. (easy from 
the end-user's perspective, using fireflier for example. it doesn't matter 
how much work it would imply to make fireflier handle the stuff "behind the 
scenes")

Thanks in advance,
Edwin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [RFC] packet/socket owner match (fireflier) using skfilter
    • From: Stephen Smalley <[email protected]>

• References:
  • [RFC] packet/socket owner match (fireflier) using skfilter
    • From: Török Edwin <[email protected]>
  • Re: [RFC] packet/socket owner match (fireflier) using skfilter
    • From: James Morris <[email protected]>

• Prev by Date: lkml traffic (was:: [PATCH] unify PFN_* macros)
• Next by Date: Re: NFS client (10x) performance regression 2.6.14.7 -> 2.6.15
• Previous by thread: Re: [RFC] packet/socket owner match (fireflier) using skfilter
• Next by thread: Re: [RFC] packet/socket owner match (fireflier) using skfilter
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]