Re: c2 (or c2-like) auditing for Linux

From: Casey Schaufler (caseyat_private)
Date: Fri Jan 31 2003 - 14:14:08 PST

Russell Coker wrote:

> Isn't the name of a directory entry more important than the type of object it
> is?

... I'll tell you where he came from, here's the story, and it's true

The question arises in that peculiar case of the path "less/more",
where "less" is less secret than "more", which is more secret.
How did it come about that you have a more secret director contained
in a less secret one? After all, when the directory was created it
was created in a directory that was writable by the creating process,
which implies it was running less secret.* An explicit action taken
by a less secret process would set the label to more secret. All
these actions would take place while running less secret, using
only less secret information**. Thus, there can't be an issue
because the name of the more secret directory was created in a
less secret context.

Simple, ain't it?

*  On Trusted Solaris a user running less secret would use
	# mksecdir more more
   while on Trusted Irix it would be
	# mkdir more ; chlabel more more
** less secret processes having no access to more secret
   information, of course.


Casey Schaufler				Manager, Trust Technology, SGI
caseyat_private				voice: 650.933.1634
casey_pat_private			Pager: 877.557.3184
linux-security-module mailing list

This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 14:15:51 PST