Re: c2 (or c2-like) auditing for Linux

From: Stephen D. Smalley (sdsat_private)
Date: Fri Jan 31 2003 - 06:44:55 PST

  • Next message: Magosányi Árpád: "Re: [lin-sec-mod] Re: c2 (or c2-like) auditing for Linux"

    > With the way that SE Linux works you can't stop readdir() from showing the 
    > name of a file or directory if the parent directory is readable.  Does this 
    > come from SE Linux or LSM?
    Neither the original SELinux kernel patch nor the LSM patch provide
    any mechanism for hiding file names.  See
    DTOS, a predecessor of SELinux, did protect file names based on the
    file's security attributes, but the result wasn't very satisfying.
    In order to 
    control name visibility, and
    permitted multiple files to exist with the same name as long as they
    differed in security context (transparent name extension).  That
    yielded rather interesting semantics and wasn't worth the overhead.
    > Isn't the name of a directory entry more important than the type of object it 
    > is?
    Shrug.  The name is part of the directory's state, not the inode's state.
    Hence, names are protected (both in ordinary Linux and SELinux) based on
    the directory's security attributes.
    In cases where you truly need to be concerned about hiding names (e.g. shared
    directories like /tmp), you really want a mechanism like 
    partitioned/polyinstantiated directories (aka multi-level directories for MLS) 
    or preferably a security union directory mechanism that provides a unified
    view of the partitioned directory to each process based on its security
    Stephen Smalley, NSA
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 06:38:32 PST