Re: Legitimate Question

From: jmjonesat_private
Date: Thu Jan 24 2002 - 14:30:17 PST

  • Next message: Crispin Cowan: "Re: Legitimate Question"

    Um, the only problem I have is getting the executable I write to be "full
    permission" on a variety of systems.
    
    I guess it would be appropriate for it to be set the same priority via DTE
    or module-manual methods as the executable being installed, but I am
    somewhat uncertain as to how this can be done in a "cross-module" manner.
    
    INODES would be different, and that's the key (by design, near as I can
    figure.) Names could be the same.
    
    Any advice would be useful, or any modifications to the LSM interface that
    would support it would be useful.  I know that "having knowledge" of
    permissions are specifically out-spec, but 
    
    Wouldn't it be more useful to be able, in a standard-interface sort of
    way, to be able to temporarily give an INSTALL type script/application the
    same permissions as another application (the installed software) would
    get? Call a hook with the name of the application as installed, for
    example, and require the module to assign "cloned" permissions?
    
    In essence, a standard way to communicate to the module to "interpret my
    permissions as if I was XYZ"... leaving it to the module to determine if
    the test program has a right to ask that?
    
    I think this sort of thing might be necessary for LSM to be generally
    accepted.
    
    Sincerely,
    J. Melvin Jones
     
    |>------------------------------------------------------
    ||  J. MELVIN JONES            jmjonesat_private 
    |>------------------------------------------------------
    ||  Microcomputer Systems Consultant  
    ||  Software Developer
    ||  Web Site Design, Hosting, and Administration
    ||  Network and Systems Administration
    |>------------------------------------------------------
    ||  http://www.jmjones.com/
    |>------------------------------------------------------
    
    On Thu, 24 Jan 2002, Seth Arnold wrote:
    
    > On Thu, Jan 24, 2002 at 05:03:01PM -0500, jmjonesat_private wrote:
    > > If no "standard" is adopted, I will write an application that can check 
    > > multiple accesses, hopefully to be included with the "standard package".
    > > Is this beyond the realm of reasonable?
    > 
    > Probably. It is my understanding that the Openwall-ish module, DTE,
    > SELinux, and whatever else we accumulate, will not actually be included
    > in our proposal to Linus for inclusion in Linux 2.5. Only the superuser
    > (dummy) and capabilities modules will be included, and shipped with the
    > kernel, if we get it accepted.
    > 
    > Thus, any such LSM-ClueBat application as Crispin proposed would
    > necessarily be distributed through non-LSM channels..
    > 
    > -- 
    > "In God we trust, all others we monitor."
    >  -- NSA, Intercept Operators's motto, 1970
    > 
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 14:31:35 PST