Re: [Bug #11500] /proc/net bug related to selinux

From: david
Date: Fri Sep 19 2008 - 12:59:44 EST

Next message: Christoph Lameter: "Re: [patch 3/4] cpu alloc: The allocator"
Previous message: Christoph Lameter: "Re: [patch 3/4] cpu alloc: The allocator"
In reply to: Stephen Smalley: "Re: [Bug #11500] /proc/net bug related to selinux"
Next in thread: Stephen Smalley: "Re: [Bug #11500] /proc/net bug related to selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 18 Sep 2008, Stephen Smalley wrote:

On Thu, 2008-09-18 at 11:09 -0700, Eric W. Biederman wrote:
Stephen Smalley <sds@xxxxxxxxxxxxx> writes:

On Thu, 2008-09-18 at 08:38 -0400, Stephen Smalley wrote:
I do however think that the mantra that we can't require users to update
policy for kernel changes is unsupportable in general. The precise set
of permission checks on a given operation is not set in stone and it is
not part of the kernel/userland interface/contract. Policy isn't
"userspace"; it governs what userspace can do, and it has to adapt to
kernel changes.

I should note here that for changes to SELinux, we have gone out of our
way to avoid such breakage to date through the introduction of
compatibility switches, policy flags to enable any new checks, etc
(albeit at a cost in complexity and ever creeping compatibility code).
But changes to the rest of the kernel can just as easily alter the set
of permission checks that get applied on a given operation, and I don't
think we are always going to be able to guarantee that new kernel + old
policy will Just Work.

I know of at least 2 more directories that I intend to turn into
symlinks into somewhere under /proc/self. How do we keep from
breaking selinux policies when I do that?

I suspect we could tweak the logic in selinux_proc_get_sid() to always
label all symlinks under /proc with the base proc_t type already used
for e.g. /proc/self, at which point existing policies would be ok.

so if proc is mounted anywhere other then /proc the selinux policy would do odd things?

David Lang

For comparison how do we handle sysfs?

Unresolved; presently has a single label for all nodes.
See https://bugzilla.redhat.com/show_bug.cgi?id=228902
for prior discussion of fine-grained labeling support for sysfs.

How do we handle device nodes in tmpfs?

udev has selinux support - looks up the appropriate context in a
userland config file (file_contexts) via libselinux matchpathcon(3) and
sets it upon creation. tmpfs has long supported getting/setting
security.* attributes.

Ultimately do we want to implement xattrs and inotify on /proc?
Or is there another way that would simplify maintenance?

If proc supported setxattr, then I suppose early userspace could label
it instead of the kernel needing to determine a label internally. But
not sure how we'd cleanly migrate to avoid breakage with old userspace.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Lameter: "Re: [patch 3/4] cpu alloc: The allocator"
Previous message: Christoph Lameter: "Re: [patch 3/4] cpu alloc: The allocator"
In reply to: Stephen Smalley: "Re: [Bug #11500] /proc/net bug related to selinux"
Next in thread: Stephen Smalley: "Re: [Bug #11500] /proc/net bug related to selinux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]