Re: c2 (or c2-like) auditing for Linux

From: Russell Coker (russellat_private)
Date: Thu Jan 30 2003 - 17:31:09 PST

  • Next message: Crispin Cowan: "Re: c2 (or c2-like) auditing for Linux"

    On Fri, 31 Jan 2003 01:10, Casey Schaufler wrote:
    > > > In order to get any of those messages you will have had to access
    > > > the object to determine that it's a directory. The access check
    > > > will have been done (it had better!) before you go looking around
    > > > in the object.
    > >
    > > Sorry, no.  Type checking often occurs before any kind of permission
    > > check to the object, whether we are talking about DAC or the LSM hook
    > > call.
    > And in a DAC only world that's understandable because you're
    > allowed to look at the attributes even if the file mode is 000.
    > In a MAC world, however, you won't be permitted to look at
    > the attributes that tell you its a directory if you're not
    > cleared to read the file. This is the way that all LSPP systems
    > work today.
    With the way that SE Linux works you can't stop readdir() from showing the 
    name of a file or directory if the parent directory is readable.  Does this 
    come from SE Linux or LSM?
    Isn't the name of a directory entry more important than the type of object it 
    --   My NSA Security Enhanced Linux packages  Bonnie++ hard drive benchmark    Postal SMTP/POP benchmark  My home page
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 17:32:25 PST