The (non-LSM) SELinux prototype allows append vs. write distinctions for files and directories. For files, you can grant a process with a particular security label append access to a file with a particular security label without giving the process general write access to the file. Likewise, for directories, you can allow a process to add links to a directory without granting it the ability to remove links from the directory. For directories, I was able to implement our finer-grained permissions in the corresponding inode security operations (e.g. create, mkdir, link, etc), while checking a general-purpose write permission in the inode permission hook. So the SELinux LSM module requires both the general-purpose write permission and the appropriate finer-grained permission to modify a directory. The general-purpose write permission check is merely to ensure mediation in all cases, but shouldn't really be necessary. For files, I'm not sure how to provide the same distinction during the open checks with LSM, since LSM merely calls the permission function with the read/write access mode, so the module has no way of knowing if O_APPEND was specified. I could implement some support for setting the S_APPEND flag on inodes based on their security label in accordance with the security policy, but that would yield different semantics - append-only access for all processes, not just processes with particular labels. Suggestions? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 12:59:24 PDT