Re: About the SELinux in FedoraCore

From: Ian jonhson <jonhson.ian_at_nospam>
Date: Tue Aug 28 2007 - 05:00:11 GMT
To: "Daniel J Walsh" <dwalsh@redhat.com>

Thank you very much~

Could you give me some example about how they do? Especially about how the process fork its child processes and change their domain contexts. In this case, I need not to compile the policy, right? Also, I must predefine some contexts before the parent process do the allocation, but if there are many contexts needed to allocate, can I predefine them as a parameters, because I don't know how many context string I will use ?

For example, I define them as follows:

type my_context_%d

%d is a paremeter, which can be 1,2,3,...., so I can create large group of contexts as: my_context_1 my_context_2 my_context_3
...
my_context_n

but not need to do the definition: type my_context_1 type my_context_2 type my_context_3
...
type my_context_n

On 8/27/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Ian jonhson wrote:
> > It sounds very good.
> >
> > Can I change the context of object in user mode dynamically? What I
> > mean is that I can fork some processes and allocate different context
> > (or domain context) to them; so they can create their own files
> > (object) holding different file context.
> >
> > I google some references about the selinux in internet, and found many
> > cases can be dealt with by Apol, and maybe it also needs to compile
> > the policy file, right? Is it possible that I build a daemon to
> > allocate different domain context to its child processes? how to do ?
> Yes if selinux policy allows, programs can change the context of
> processes that they fork/exec. You can also just change the context of
> the current running process, but this is not as secure. You should ask
> your questions on the selinux@tycho.nsa.gov list
> >
> > Thank you very much for your advices.
> >
> > Ian
> >
> >
> >
> > On 8/25/07, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > Ian jonhson wrote:
> >>>> Dear Daniel,
> >>>>
> >>>>
> >>>> I studied your wiki of FedoraCore, but still don't know how to start
> >>>> my jobs. What I want to do is:
> >>>>
> >>>> With the help of SELinux,
> >>>>
> >>>> 1. add some identity tag in subject's processes. The tag maybe is a
> >>>> integer, which can be set in SID of SELINUX.
> >>>>
> > SID are inside the kernel. What you call tags are called security
> > contexts "strings" are used for processes and files/directories. When
> > they are associated with a process they are sometimes called a domain.
> > When they are with a physical object they are called a file context.
> >
> >>>> 2. the tag mentioned above can be stored in local filesystem, if the
> >>>> subject's processes create his files or temporary files. In other
> >>>> words, objects (here, it is files) can hold a tag identified who
> >>>> created them.
> >>>>
> > Well in SELinux there are four parts of the security context. The
> > SELinux user will be associated with any file created by the process
> > that creates it. But there is also a file context. So as an example
> >
> > system_u:system_r:smbd_t:s0 is the default security context of the
> > running sampa process. We can set it up so that it has read/only access
> > to files/directories labeled system_u:object_r:public_content_rw_t:s0
> > root:system_r:httpd_t:s0 is the process domain of the apache server, if
> > it had been restarted by the root SELinux user. It could be setup with
> > read/write access to system_u:object_r:public_content_rw_t:s0, depending
> > on how the policy is setup. If apache creates a file in a directory
> > labeled system_u:object_r:public_content_rw_t:s0, it will get a label
> > of root:object_r:public_content_rw_t:s0.
> >
> > If a third process say named running as system_u:object_r:named_t:s0
> > tries to read this file, selinux will deny it.
> >
> >
> > All three of these processes had UID=0
> >
> > Read danwalsh.livejournal.com from the beginning for a full discussion
> > of how SELinux works.
> >
> >>>> 3. when two processes with different tag access a file holding owner's
> >>>> tag, the SELINUX can distinguish the processed with different tag and
> >>>> do access control.
> >>>>
> >>>> The two processes with different tag can have different uid or,
> >>>> evenly, same uid, but their tags are not the same.
> >>>>
> >>>> How to implement these functionalities?
> >>>>
> >>>> Could you give me some advices?
> >>>>
> >>>> Thanks advance,
> >>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFG0vN7rlYvE4MpobMRAgN/AJ9iLQnUYhuEhmuYZhEKPzZwWM/ItgCfSOBg
> i30HYwWoxY3awdVUGMXtvmI=
> =ch01
> -----END PGP SIGNATURE-----
>
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Stefan Schulze Frielinghaus: "[refpolicy] dovecot: handling of hard links"
Previous message: Venkat Yekkirala: "RE: [RFC 0/5] Static/fallback external labels for NetLabel"
In reply to: Daniel J Walsh: "Re: About the SELinux in FedoraCore"
Next in thread: Daniel J Walsh: "Re: About the SELinux in FedoraCore"
Reply: Daniel J Walsh: "Re: About the SELinux in FedoraCore"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]