| Message ID | 20200710071431.107444-1-dominick.grift@defensec.nl (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [SELinux-notebook,v2] objects.md: some clarifications | expand |
On Fri, 2020-07-10 at 09:14 +0200, Dominick Grift wrote: > v2: fixes patch description > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > src/objects.md | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > Acked-by: Richard Haines <richard_c_haines@btinternet.com> > diff --git a/src/objects.md b/src/objects.md > index 58664ef..aadb539 100644 > --- a/src/objects.md > +++ b/src/objects.md > @@ -110,14 +110,20 @@ objects is managed by the system and generally > unseen by the users > (until labeling goes wrong !!). As processes and objects are created > and > destroyed, they either: > > -1. Inherit their labels from the parent process or object. > +1. Inherit their labels from the parent process or object. The > policy > + default type, role and range statements can be used to change > the > + behavior as discussed in the [**Default > Rules**](default_rules.md#default-object-rules) > + section. > 2. The policy type, role and range transition statements allow a > different label to be assigned as discussed in the > [**Domain and Object > Transitions**](domain_object_transitions.md#domain-and-object- > transitions) > section. > 3. SELinux-aware applications can enforce a new label (with the > policies approval of course) using the **libselinux** API > - functions. > + functions. The `process setfscreate` access vector can be used > to > + allow subjects to create files with a new label programmatically > + using the ***setfscreatecon**(3)* function, overriding default > + rules and transition statements. > 4. An object manager (OM) can enforce a default label that can > either > be built into the OM or obtained via a configuration file (such > as > those used by > @@ -269,6 +275,20 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the > policies > +approval of course) using the **libselinux** API functions. The > +`process setexec`, `process setkeycreate` and `process > setsockcreate` > +access vectors can be used to allow subjects to label processes, > +kernel keyrings, and sockets programmatically using the > +***setexec**(3)*, ***setkeycreatecon**(3)* and > +***setsockcreatecon**(3)* functions respectively, overriding > +transition statements. > + > +The `kernel` and `unlabeled` **initial security identifiers** are > used > +to associate specified labels with subjects that were left unlabeled > +due to initialization or with subjects that had their label > +invalidated due to policy changes at runtime respectively. > + > ### Object Reuse > > As GNU / Linux runs it creates instances of objects and manages the
On Fri, Jul 10, 2020 at 3:14 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > v2: fixes patch description > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> Thanks for the patch, but just like any other project, it would be nice to see a patch description here. You can also move the changelog portion of the patch below a "--" delimiter so it doesn't get caught up in the main description (changelogs aren't quite as useful once the patch has been committed to the tree). > --- > src/objects.md | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) ... > @@ -269,6 +275,20 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the policies As someone who is barely fluent in one language I hate to criticize others when they are writing in their non-native language, but I think this should be "policy's" not "policies". > +approval of course) using the **libselinux** API functions. The > +`process setexec`, `process setkeycreate` and `process setsockcreate` > +access vectors can be used to allow subjects to label processes, > +kernel keyrings, and sockets programmatically using the > +***setexec**(3)*, ***setkeycreatecon**(3)* and > +***setsockcreatecon**(3)* functions respectively, overriding > +transition statements. > + > +The `kernel` and `unlabeled` **initial security identifiers** are used > +to associate specified labels with subjects that were left unlabeled > +due to initialization or with subjects that had their label > +invalidated due to policy changes at runtime respectively. That looks like a good definition for "unlabeled", but it doesn't look like you've defined the "kernel" isid? > ### Object Reuse > > As GNU / Linux runs it creates instances of objects and manages the > -- > 2.27.0
Paul Moore <paul@paul-moore.com> writes: > On Fri, Jul 10, 2020 at 3:14 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> v2: fixes patch description >> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > > Thanks for the patch, but just like any other project, it would be > nice to see a patch description here. You can also move the changelog > portion of the patch below a "--" delimiter so it doesn't get caught > up in the main description (changelogs aren't quite as useful once the > patch has been committed to the tree). Thanks. I will redo it > >> --- >> src/objects.md | 24 ++++++++++++++++++++++-- >> 1 file changed, 22 insertions(+), 2 deletions(-) > > ... > >> @@ -269,6 +275,20 @@ and manage their transition: >> >> `type_transition`, `role_transition` and `range_transition` >> >> +SELinux-aware applications can enforce a new label (with the policies > > As someone who is barely fluent in one language I hate to criticize > others when they are writing in their non-native language, but I think > this should be "policy's" not "policies". I appreciate these corrections and will apply that with a v3 > >> +approval of course) using the **libselinux** API functions. The >> +`process setexec`, `process setkeycreate` and `process setsockcreate` >> +access vectors can be used to allow subjects to label processes, >> +kernel keyrings, and sockets programmatically using the >> +***setexec**(3)*, ***setkeycreatecon**(3)* and >> +***setsockcreatecon**(3)* functions respectively, overriding >> +transition statements. >> + >> +The `kernel` and `unlabeled` **initial security identifiers** are used >> +to associate specified labels with subjects that were left unlabeled >> +due to initialization or with subjects that had their label >> +invalidated due to policy changes at runtime respectively. > > That looks like a good definition for "unlabeled", but it doesn't look > like you've defined the "kernel" isid? I did (note the "respectively") but maybe I wrote it down in a less than optimal way?: kernel: "are used to associate specified labels with subjects that were left unlabeled due to initialization" unlabeled: "(are used to associate specified labels) with subjects that had their label invalidated due to policy changes at runtime" > >> ### Object Reuse >> >> As GNU / Linux runs it creates instances of objects and manages the >> -- >> 2.27.0
diff --git a/src/objects.md b/src/objects.md index 58664ef..aadb539 100644 --- a/src/objects.md +++ b/src/objects.md @@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users (until labeling goes wrong !!). As processes and objects are created and destroyed, they either: -1. Inherit their labels from the parent process or object. +1. Inherit their labels from the parent process or object. The policy + default type, role and range statements can be used to change the + behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) + section. 2. The policy type, role and range transition statements allow a different label to be assigned as discussed in the [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) section. 3. SELinux-aware applications can enforce a new label (with the policies approval of course) using the **libselinux** API - functions. + functions. The `process setfscreate` access vector can be used to + allow subjects to create files with a new label programmatically + using the ***setfscreatecon**(3)* function, overriding default + rules and transition statements. 4. An object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as those used by @@ -269,6 +275,20 @@ and manage their transition: `type_transition`, `role_transition` and `range_transition` +SELinux-aware applications can enforce a new label (with the policies +approval of course) using the **libselinux** API functions. The +`process setexec`, `process setkeycreate` and `process setsockcreate` +access vectors can be used to allow subjects to label processes, +kernel keyrings, and sockets programmatically using the +***setexec**(3)*, ***setkeycreatecon**(3)* and +***setsockcreatecon**(3)* functions respectively, overriding +transition statements. + +The `kernel` and `unlabeled` **initial security identifiers** are used +to associate specified labels with subjects that were left unlabeled +due to initialization or with subjects that had their label +invalidated due to policy changes at runtime respectively. + ### Object Reuse As GNU / Linux runs it creates instances of objects and manages the
v2: fixes patch description Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- src/objects.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-)