[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: About Domain Transition
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2008-08-29 13:16:25
Message-ID: 1220015785.5708.285.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]
On Thu, 2008-08-28 at 16:33 -0400, Hong wrote:
> Suppose a process is in domain "CurrDom". Now the process invokes a
> program with type "Type".
> Following is my understanding of whether the execution can succeed,
> can anyone help me to see if it's correct?
>
> (1) If "CurrDom" does not have "execute" permission on "Type" with
> security class "file"(or variations), access is denied.
Correct.
> (2) If there is a type_transition rule says that "CurrDom" should
> transition to "NewDom" after executing type "Type", then
Or if the process explicitly requests "NewDom" via setexeccon(3) prior
to invoking execve().
> (2.1) If "CurrDom" does not have "transition" permission on
> "Type" with security class "file" (or variations), access is denied.
No, the transition check is: If "CurrDom" does not have "transition"
permission to "NewDom" (class process), access is denied.
> (2.2) If "NewDom" does not have "entrypoint" permission on "Type"
> with security class "file" (or variations), access is denied.
Correct.
> (2.3) Access is granted if both (2.1) and (2.2) are passed.
Yes, with the modification above.
> (3) There is no type_transition rules says anything about new domain
> for "CurrDom" when executing "Type"
And the process did not explicitly request a new domain via
setexeccon(3) prior to invoking execve().
> Access is granted only when "CurrDom" has "execute_no_trans"
> permission on "Type" with security class "file" (or variations).
Correct.
> I am not sure about following questions:
> (A) In (2), if multiple type_transition rules specify a new domain
> for "CurrDom", what'll happen?
There can only be one type_transition rule per (domain, type, class)
tuple. However, the application may explicitly request a particular
domain transition via setexeccon(3), and this will override any default
transition.
> (B) In (1), what if CurrDom has permission "execute_no_trans"?
Makes no difference.
> (C) If a process fails to transition to another domain in (2), and if
> CurrDom has permission "execute_no_trans", can it execute the program
> and stay in the current domain?
Only if it explicitly asks to stay in the same domain by using
setexeccon().
> Is there any documentation I can refer to so I can see how the access
> decision is made? Or where in the kernel source code above logic is
> implement?
http://www.nsa.gov/selinux/papers/module/x645.html
http://lxr.linux.no/linux+v2.6.26.3/security/selinux/hooks.c#L1946
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic