On Apr 18, 2006, at 21:48:56, Casey Schaufler wrote:
--- James Morris <[email protected]> wrote:
With pathnames, there is an unbounded and unknown number of
effective security policies on the system, as there are an
unbounded and unknown number of ways of viewing the files via
pathnames.
I agree that for traditional DAC and MAC (including the flavors
supported by SELinux) inodes is the only way to go. SELinux is a
traditional Trusted OS architecture and addresses the traditional
Trusted OS issues.
Perhaps the SELinux model should be extended to handle (dir-inode,
path-entry) pairs. For example, if I want to protect the /etc/shadow
file regardless of what tool is used to safely modify it, I would set
up security as follows:
o Protect the "/" and "/etc" directory inodes as usual under SELinux
(with attributes on directory inodes).
o Create pairs with (etc_inode,"shadow") and (etc_inode,"gshadow")
and apply security attributes to those potentially nonexistent pairs.
I'm not terribly familiar with the exact internal semantics of
SELinux, but that should provide a 90% solution (it fixes bind mounts
and namespaces). The remaining 2 issues are hardlinks and fd-
passing. For hardlinks you don't care about other links to that
data, you're concerned with protecting a particular filesystem
location, not particular contents, so you just need to prevent _new_
hardlinks to a protected (dir_inode, path_elem) pair, which doesn't
seem very hard. For fd-passing, I don't know what to do. Perhaps
nothing.
Anyways, just a few ideas for consideration
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
