[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: [RFC]integrity: SELinux patch
From:       Mimi Zohar <zohar () linux ! vnet ! ibm ! com>
Date:       2007-07-16 23:13:06
Message-ID: 1184627586.10795.70.camel () localhost ! localdomain
[Download RAW message or body]

On Mon, 2007-07-16 at 14:40 -0400, Joshua Brindle wrote:
> Mimi Zohar wrote:
> > This is a first attempt to verify and measure file integrity, by
> > adding the new Linux Integrity Modules(LIM) API calls to SElinux.
> > We are planning on posting the corresponding LIM and IMA patches to
> > LKML, but would like comments/suggestions here first, particularly
> > in regards to the policy checking code in selinux_measure() called 
> > from selinux_inode_permission().
> >
> > SELINUX_ENFORCE_INTEGRITY can be configured to either verify and
> > enforce integrity or to just log integrity failures. The default
> > is to just log integrity failures.
> >
> >   
> I haven't reviewed the patch yet but reference to the above comments. 
> This should be controlled with policy I think, its tricky though and I 
> haven't thought about all the ramifications yet, I'll get back to this 
> after I've thought about it.

Without the SELINUX_INTEGRITY_ENFORCE option enabled, everything is
logged, nothing is denied.  This is meant to be similar to the selinux
'enforcing' option.  Currently it is only a compile option, perhaps 
just as enforcing is a runtime option, it should be a runtime option as
well.

> > The integrity of the SELinux metadata is verified when the xattr
> > is initially retrieved.  On an integrity failure, assuming that
> > integrity verification is enforced, normal error processing occurs.
> >
> > By default, all executables and all files that are mmap'ed executable
> > are measured. This patch extends the file class with 'measure'.
> > Additional files can be measured in selinux_inode_permission()
> > based on a FILE__MEASURE policy. (As the policy call is causing too
> > many files to be measured, it is commented out.) For example, to
> > measure kernel modules add:
> >   
> I'd like to say that if SELinux is controlling whether measurements 
> happen or not I don't think there should be a 'default' policy in the 
> module. Being able to avoid the measurement overhead for domains that we 
> don't care about would be a win, fine grained as well as course grained 
> measurement selections can be done with SELinux.

Ok. I can understand that as long as SELinux is making some measurement 
decisions based on policy, it could just as easily make all of the 
measurement decisions. At the moment though, I am having problems with 
the avc_has_perm_noaudit() call in inode_permission.  Without defining a
'measure' policy, it measures a lot of files. Is this because the system
is running with a targeted policy? 

Are you suggesting that there is no need for the measurement calls in
file_mmap()/bprm_check_security() and that there should only be the one  
measurement call in inode_permission(), which is based on policy, or 
are you suggesting that the measurement calls in bprm_check_security() 
and file_mmap() be based on policy?

Thanks!

Mimi Zohar


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]