Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-10-10 at 07:48 -0600, Eric W. Biederman wrote:
> Alan Cox <[email protected]> writes:
> 
> >> My very practical question:  How do I run selinux in one container,
> >> and SMACK in another?
> >
> > In the LSM model you don't because you could have the same container
> > objects visible in different contains at the same time and subject to
> > different LSMs. What does it mean to pass an SELinux protected object
> > over an AppArmour protected unix domain socket into a SMACK protected
> > container ?
> 
> You raise a good point.  My intuitive definition would go something like
> this.  In the initial LSM space we would have whatever is the primary
> LSM and it would always be invoked about everything.   However it
> would view a single container (no matter what user in that container)
> as having a single set of permissions.  Then the LSM in the container
> be asked to further validate accesses, but it would distinguish
> between users in the container.

SELinux internally has a notion of a type hierarchy, where a type is
limited to a subset of its parent's permissions, and one can then
delegate the ability to manage sub-types via a policy daemon.  But this
is all handled in userspace; the kernel doesn't care about it.

Ditto for the modular policy support - that's a userspace construct that
is ultimately turned into a single coherent policy for the kernel to
enforce.

> At this point it looks like if I am going to be effective at doing
> anything I am going to need to step back watch SMACK get merged and
> then really look at what the LSM modules are implementing.  Then
> I can refactor the whole mess and move additional functionality into
> the LSM to help me achieve other things.
> 
> > Really its the same problem as "I'd like to use different file permission
> > systems on different process identifiers" and it would be very hard to
> > get right simply because objects can pass between two different security
> > models.
> 
> Yep.  Although the isolation of a container with a completely
> different set of namespaces is tight enough that except for people
> debugging a container from processes in the container from outside the
> container object exchange essentially doesn't happen.
> 
> You do raise a very good question here.  Does an LSM implement a
> different file permission system?  Or does an LSM implement a firewall
> between processes?
> 
> Certainly selinux seems too programmable to be considered just a
> different file permission system.  

A LSM implements a security model, where that model may encompass all
processes and objects.  SELinux (and Smack) in particular implement
mandatory access control and thus need to enforce consistent policy over
all processes and objects based on their security labels.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux