[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Runtime flexibility of SELInux



On 4/24/2012 1:37 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:
Hi,

I am looking to use SELinux to secure a process that is made up of a number
of discrete, sequential stages. One stage communicates to the next by
writing results to a file and then an external process modifies the SELinux
context of the file to allow the next stage to read the file and so on
until the final stage is reached and the processing stops.

The problem I have is that the number of stages is variable and can change
with each invocation of the process, i.e. when I create the process I know
the number of stages that will be required in it, but the number of stages
could change with each invocation. I think therefore, that I need a means
of creating new contexts on the fly and assigning them to the processes. Is
it possible with SELinux to create a new security context (domain for the
output file, and user/role for the stage process) on the fly and execute a
process within that context such that it could poll a directory for input
files and, if it is permitted to read the file perform its operation?

Many Thanks,

Tim Sheppard


If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfsi3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

It sounds like you want an assured pipeline for your process. You should be able to search for that term on the selinuxproject.org wiki and find a demonstration of that concept on there. If its not there email Stephen Smalley and see what the status of that code is. I don't remember if we ever released it.

Dave

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net