|Main Archive Page > Month Archives > selinux archives|
Thank you very much~
Could you give me some example about how they do? Especially about how the process fork its child processes and change their domain contexts. In this case, I need not to compile the policy, right? Also, I must predefine some contexts before the parent process do the allocation, but if there are many contexts needed to allocate, can I predefine them as a parameters, because I don't know how many context string I will use ?
For example, I define them as follows:
%d is a paremeter, which can be 1,2,3,...., so I can create large
group of contexts as:
but not need to do the definition:
On 8/27/07, Daniel J Walsh <firstname.lastname@example.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Ian jonhson wrote:
> > It sounds very good.
> > Can I change the context of object in user mode dynamically? What I
> > mean is that I can fork some processes and allocate different context
> > (or domain context) to them; so they can create their own files
> > (object) holding different file context.
> > I google some references about the selinux in internet, and found many
> > cases can be dealt with by Apol, and maybe it also needs to compile
> > the policy file, right? Is it possible that I build a daemon to
> > allocate different domain context to its child processes? how to do ?
> Yes if selinux policy allows, programs can change the context of
> processes that they fork/exec. You can also just change the context of
> the current running process, but this is not as secure. You should ask
> your questions on the email@example.com list
> > Thank you very much for your advices.
> > Ian
> > On 8/25/07, Daniel J Walsh <firstname.lastname@example.org> wrote:
> > Ian jonhson wrote:
> >>>> Dear Daniel,
> >>>> I studied your wiki of FedoraCore, but still don't know how to start
> >>>> my jobs. What I want to do is:
> >>>> With the help of SELinux,
> >>>> 1. add some identity tag in subject's processes. The tag maybe is a
> >>>> integer, which can be set in SID of SELINUX.
> > SID are inside the kernel. What you call tags are called security
> > contexts "strings" are used for processes and files/directories. When
> > they are associated with a process they are sometimes called a domain.
> > When they are with a physical object they are called a file context.
> >>>> 2. the tag mentioned above can be stored in local filesystem, if the
> >>>> subject's processes create his files or temporary files. In other
> >>>> words, objects (here, it is files) can hold a tag identified who
> >>>> created them.
> > Well in SELinux there are four parts of the security context. The
> > SELinux user will be associated with any file created by the process
> > that creates it. But there is also a file context. So as an example
> > system_u:system_r:smbd_t:s0 is the default security context of the
> > running sampa process. We can set it up so that it has read/only access
> > to files/directories labeled system_u:object_r:public_content_rw_t:s0
> > root:system_r:httpd_t:s0 is the process domain of the apache server, if
> > it had been restarted by the root SELinux user. It could be setup with
> > read/write access to system_u:object_r:public_content_rw_t:s0, depending
> > on how the policy is setup. If apache creates a file in a directory
> > labeled system_u:object_r:public_content_rw_t:s0, it will get a label
> > of root:object_r:public_content_rw_t:s0.
> > If a third process say named running as system_u:object_r:named_t:s0
> > tries to read this file, selinux will deny it.
> > All three of these processes had UID=0
> > Read danwalsh.livejournal.com from the beginning for a full discussion
> > of how SELinux works.
> >>>> 3. when two processes with different tag access a file holding owner's
> >>>> tag, the SELINUX can distinguish the processed with different tag and
> >>>> do access control.
> >>>> The two processes with different tag can have different uid or,
> >>>> evenly, same uid, but their tags are not the same.
> >>>> How to implement these functionalities?
> >>>> Could you give me some advices?
> >>>> Thanks advance,
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.