Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

On Wed, 2006-04-19 at 02:40 -0400, Kyle Moffett wrote:
> On Apr 18, 2006, at 21:48:56, Casey Schaufler wrote:
> > --- James Morris <[email protected]> wrote:
> >> With pathnames, there is an unbounded and unknown number of  
> >> effective security policies on the system, as there are an
> >> unbounded and unknown number of ways of viewing the files via  
> >> pathnames.
> >
> > I agree that for traditional DAC and MAC (including the flavors  
> > supported by SELinux) inodes is the only way to go. SELinux is a  
> > traditional Trusted OS architecture and addresses the traditional  
> > Trusted OS issues.
> 
> Perhaps the SELinux model should be extended to handle (dir-inode,  
> path-entry) pairs.  For example, if I want to protect the /etc/shadow  
> file regardless of what tool is used to safely modify it, I would set  
> up security as follows:
> 
> o  Protect the "/" and "/etc" directory inodes as usual under SELinux  
> (with attributes on directory inodes).

in which namespace are these? And are they in a chroot?
And what if someone makes /etd a symlink to /etc :)
And what if I bind-mount something on top of /etc/shadow ?
or unlink the file while holding it open? Should the security suddenly
go away? There's no "directory" for this file anymore at that point.
Or if I hardlink /etc/shadhow to /tmp/shad ... what then?


> o  Create pairs with (etc_inode,"shadow") and (etc_inode,"gshadow")  
> and apply security attributes to those potentially nonexistent pairs

again see above ;_)

> .
> 
> I'm not terribly familiar with the exact internal semantics of  
> SELinux, but that should provide a 90% solution (it fixes bind mounts  
> and namespaces).

how does this fix namespaces or even bind mounts?
(or even symlinks for that matter)


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Casey Schaufler <[email protected]>
  • Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
    • From: Kyle Moffett <[email protected]>

• Prev by Date: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Next by Date: Re: [PATCH]drivers/char/cs5535_gpio.c:call cdev_del during module_exit to unmap kobject references and other cleanups.
• Previous by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Next by thread: Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]