selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Type boundaries: questions on the semantics / is th

Re: Type boundaries: questions on the semantics / is the enforcement correct ?

From: Stephen Smalley <sds_at_nospam>
Date: Fri Jan 15 2010 - 15:51:59 GMT
To: Jacques Thomas <jthomas@cs.purdue.edu>


On Mon, 2009-11-30 at 22:53 -0500, Jacques Thomas wrote:
> KaiGai Kohei wrote:
> >>>> I also think we have one other a rough option.
> >>>> It simply applies type boundaries on only sources to restrict its privileges,
> >>>> and it does not apply any restrictions on target types.
> >>>>
> >>>>
> >>>>
> >>> Unless there is a clear use for bounds on targets, I would favor this
> >>> option. (The "rough" one :-) )
> >>> I see mostly room for confusion with the bounds on target types, because
> >>> of the contravariance issue.
> >>>
> >>>
> >> I can write and submit a patch along these lines. The patch is
> >> straightforward: I just have to remove the "dead" code.
> >>
> >
> > Note that libsepol has an option which test type-boundary violations
> > in usermode just before policy load.
> > Also check check_avtab_hierarchy_callback() in libsepol/src/hierarchy.c.
> > (It is called when )
> >
> > Historically, this code delivered from hierarchy namespace support by
> > Joshua Brindle. I'd like to ask him what about this change.
> >
> > MEMO: The hierarchy namespace support implicitly set up type-boundary
> > on a couple of types. For example, if we defined httpd_t.cgi type,
> > it is implicitly bounded by httpd_t type without TYPEBOUNDS.
> >
> > I also have not seen any case example which restrict target types by
> > the hierarchy namespace support. So, it seems to me we have no matter
> > to remove the "dead" code.
> >
> > Joshua, what's your opinion?
> >
> >
> >
> >> However, could someone please indicate me how I am supposed to test the
> >> patch ? In other words, is there a standardized testing procedure that I
> >> am unaware of ?
> >>
> >
> > http://ltp.sourceforge.net/
> >
> > It also contains SELinux testcases including type boundary, but it also
> > does not contains a case of type boundary on target types.
> >

Where does this stand? IIUC, we are going to just remove the dead code from type_attribute_bounds_av() in the kernel and check_avtab_hierarchy_callback() in libsepol?

With regard to the ltp, note that the last version of the ltp with a working selinux testsuite was ltp-full-20090930. I am still trying to work with the ltp maintainers to fix it in cvs head, but that is still work in progress. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.