Re: c2 (or c2-like) auditing for Linux

From: Mikel L. Matthews (mikel@argus-systems.com)
Date: Fri Jan 31 2003 - 06:03:56 PST

  • Next message: Stephen D. Smalley: "Re: c2 (or c2-like) auditing for Linux"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Depending on the MAC security model you are using showing the contents
    of a directory doesn't cause any problem.  You are only reading the
    contents of the directory (in which you meet the security requirements),
    not the information from the inode. If after reading the contents you
    try to stat(), open(), etc. the object and you don't meet the MAC model
    it should fail.  If the model includes the label of the object as part
    of the name space readdir() would have been modified to not return the
    name of the object you shouldn't have MAC access to.
    
    FYI you can open up a possible covert channel when having the label as
    part of the name space because you can determine where the read pointer
    is within the directory.
    
    Mike
    
    Russell Coker wrote:
    | On Fri, 31 Jan 2003 01:10, Casey Schaufler wrote:
    |
    |>>>In order to get any of those messages you will have had to access
    |>>>the object to determine that it's a directory. The access check
    |>>>will have been done (it had better!) before you go looking around
    |>>>in the object.
    |>>
    |>>Sorry, no.  Type checking often occurs before any kind of permission
    |>>check to the object, whether we are talking about DAC or the LSM hook
    |>>call.
    |>
    |>And in a DAC only world that's understandable because you're
    |>allowed to look at the attributes even if the file mode is 000.
    |>In a MAC world, however, you won't be permitted to look at
    |>the attributes that tell you its a directory if you're not
    |>cleared to read the file. This is the way that all LSPP systems
    |>work today.
    |
    |
    | With the way that SE Linux works you can't stop readdir() from showing
    the
    | name of a file or directory if the parent directory is readable.  Does
    this
    | come from SE Linux or LSM?
    |
    | Isn't the name of a directory entry more important than the type of
    object it
    | is?
    |
    
    
    - --
    Thanks,
    Mike
    
    Mikel L. Matthews
    S.V.P. and Chief Engineer
    Argus Systems Group, Inc.		www.argus-systems.com
    (217) 355-6308
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    
    iD8DBQE+OoJLt8r7n+hU7k8RAvhYAKDE1V3rgZWJ/Jt4ceXbqlWrMYSEcgCgmYEL
    HtTC4uZpoSOXlw/6P2m/Pkc=
    =vWQR
    -----END PGP SIGNATURE-----
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 06:07:54 PST