On Tue, 29 Jun 2004 12:34:56 EDT, Stephen Smalley said:
> You can implement that policy using SELinux and the conditional policy
> support added by Tresys, i.e. the allow rules granting the graduate
> student domain access to the foo shared resource type are bracketed with
> a conditional on a policy boolean, and crond or some similar daemon
> toggles the boolean value at the appropriate times.
Have to admit, installing SELinux and integrating it into your system
is a bit of overkill when all you *wanted* was:
if ((uid >= 5000) && (uid < 10000) && time_between8_n_5) return -1;
The point was that not every security requirement can be handled by SELinux.
For instance, consider the now-venerable symlink/hardlink/fifo hardening that
dates all the way back to Solar Designer's OpenWall patch for the 2.0.39
kernel (and probably further).... the current LSM version I have is:
int vtkit_follow_link (struct dentry *dentry, struct nameidata *nd)
{
struct inode *i_target = dentry->d_inode;
struct inode *i_parent = dentry->d_parent->d_inode;
if (security_safe_symlink &&
(i_parent->i_mode & S_ISVTX) && (i_parent->i_mode & S_IWOTH) &&
(i_parent->i_uid != i_target->i_uid) &&
(current->fsuid != i_target->i_uid)) {
printk(KERN_NOTICE "vtkit - rejecting symlink UID %d (dir UID %d) follow b
y PID %d (uid=%d, comm=%s)\n",
i_target->i_uid, i_parent->i_uid, current->pid, current->uid, curr
ent->comm);
return -EPERM;
}
return 0;
}
Kind of hard to do in SELinux, as we don't *care* where i_target and i_parent
are in the file system.
Feel free to devise your own example if you don't like this one. ;)
This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 11:11:03 PDT