[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <657751.18080.qm@web36614.mail.mud.yahoo.com>
Date: Tue, 17 Apr 2007 13:19:54 -0700 (PDT)
From: Casey Schaufler <casey@...aufler-ca.com>
To: Andi Kleen <andi@...stfloor.org>, James Morris <jmorris@...ei.org>
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: AppArmor FAQ
--- Andi Kleen <andi@...stfloor.org> wrote:
> On Tue, Apr 17, 2007 at 01:47:39PM -0400, James Morris wrote:
> > Normal applications need zero modification under SELinux.
> >
> > Some applications which manage security may need to be made SELinux-aware,
>
> Anything that can touch /etc/resolv.conf? That's potentially a lot of
> binaries
> if you consider anything scripts could do with it.
Well, no, you don't have to modify everything that might modify resolv.conf.
You do have to define your policy so that the set of things that might
modify resolv.conf is limited to the set of things that are appropriate.
You also need to note that SELinux has a notion of privilege that is
different from what is traditional. The ability to modify resolv.conf
is determined by the domain containing it and the relationship of the
domain containing the application to that domain, modified by any
domain transitions that may have occured to the process prior to or
during the attempted access.
> > although this can often be done with PAM plugins, which is a standard way
> > to do this kind of thing in modern Unix & Linux OSs.
>
> PAM plugins in vi and emacs? Scary idea.
>
> And what do you do if someone decides to use OpenOffice to edit their
> /etc/resolv.conf? For a lot of people that's the only text editor
> they know.
For SELinux to be effective it has to have a complete policy definition.
This would prevent the OpenOffice access (unless OpenOffice is in the
modify_resolv_conf_t domain) above.
This, by the way, is a fundimental advantage of a path scheme over a
label scheme in that label schemes require every object be labeled
(it's Section 3.1.1.3 of the TCSEC if you want to look it up) while a
path scheme (in the absences of a published requirement) only requires
those names it cares about. SELinux in the absence of a correct and
complete policy could be considered dangerous.
Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists