| Message ID | 20200716121729.962241-1-dominick.grift@defensec.nl (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [SELinux-notebook,v4] objects.md: some clarifications | expand |
On Thu, Jul 16, 2020 at 8:18 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > v2: fixes patch description > v3: adding patch description, s/policies/policy's/, split unlabeled and kernel descriptions for clarity > v4: fixes another typo in description and emphasize system initialization a bit > > src/objects.md | 29 ++++++++++++++++++++++++++--- > 1 file changed, 26 insertions(+), 3 deletions(-) > > diff --git a/src/objects.md b/src/objects.md > index 58664ef..c67787d 100644 > --- a/src/objects.md > +++ b/src/objects.md > @@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users > (until labeling goes wrong !!). As processes and objects are created and > destroyed, they either: > > -1. Inherit their labels from the parent process or object. > +1. Inherit their labels from the parent process or object. The policy > + default type, role and range statements can be used to change the > + behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) > + section. > 2. The policy type, role and range transition statements allow a > different label to be assigned as discussed in the > [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) > section. > 3. SELinux-aware applications can enforce a new label (with the > - policies approval of course) using the **libselinux** API > - functions. > + policy's approval of course) using the **libselinux** API > + functions. The `process setfscreate` access vector can be used to > + allow subjects to create files with a new label programmatically > + using the ***setfscreatecon**(3)* function, overriding default > + rules and transition statements. > 4. An object manager (OM) can enforce a default label that can either > be built into the OM or obtained via a configuration file (such as > those used by > @@ -269,6 +275,23 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the policy's > +approval of course) using the **libselinux** API functions. The > +`process setexec`, `process setkeycreate` and `process setsockcreate` > +access vectors can be used to allow subjects to label processes, > +kernel keyrings, and sockets programmatically using the > +***setexec**(3)*, ***setkeycreatecon**(3)* and > +***setsockcreatecon**(3)* functions respectively, overriding > +transition statements. > + > +The `kernel` **initial security identifier** is used to associate > +specified labels with subjects that were left unlabeled due to > +system initialization. You are iterating faster than I can review the patches ;) Please don't misunderstand, I'm very happy you're contributing to the notebook; I was hoping people would get involved and I'm glad to see that is happening. That said, while it is true that there are a few objects that are initially assigned the "kernel" isid, those should gain proper labels as they complete the initialization process, unless of course they are actually owned by the kernel. Which brings me to the next point, some objects are legitimately owned by the kernel, the fact that they are labeled with the "kernel" isid is intentional. The same holds true for the "kernel" isid as a subject label, in cases where you see the "kernel" isid as a subject, it is actually the kernel acting on something. > +The `unlabeled` **initial security identifier** is used > +to associate specified labels with subjects that had their label > +invalidated due to policy changes at runtime. > + > ### Object Reuse > > As GNU / Linux runs it creates instances of objects and manages the > -- > 2.27.0
On 7/17/20 3:36 AM, Paul Moore wrote: > On Thu, Jul 16, 2020 at 8:18 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: >> >> Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. >> <snip> > The same holds true > for the "kernel" isid as a subject label, in cases where you see the > "kernel" isid as a subject, it is actually the kernel acting on > something. > Thanks In my experience, processes other than kernel threads can end up associated with the kernel sid. One notable example is plymouthd which is run from the initramfs and will still be there for a short while after systemd/init loads policy. But AFAIK any process that is started from the initramfs and that persists after policy is loaded essentially ends up with the kernel isid. So even though practically it is generally the kernel threads that remain visibly associated with kernel sid to the naked eye, In actuality it in my experience boils down to "subjects that were left unlabeled due to system initialization", whether its the kernel or some long running process started before SELinux was initializaed.
diff --git a/src/objects.md b/src/objects.md index 58664ef..c67787d 100644 --- a/src/objects.md +++ b/src/objects.md @@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users (until labeling goes wrong !!). As processes and objects are created and destroyed, they either: -1. Inherit their labels from the parent process or object. +1. Inherit their labels from the parent process or object. The policy + default type, role and range statements can be used to change the + behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) + section. 2. The policy type, role and range transition statements allow a different label to be assigned as discussed in the [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) section. 3. SELinux-aware applications can enforce a new label (with the - policies approval of course) using the **libselinux** API - functions. + policy's approval of course) using the **libselinux** API + functions. The `process setfscreate` access vector can be used to + allow subjects to create files with a new label programmatically + using the ***setfscreatecon**(3)* function, overriding default + rules and transition statements. 4. An object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as those used by @@ -269,6 +275,23 @@ and manage their transition: `type_transition`, `role_transition` and `range_transition` +SELinux-aware applications can enforce a new label (with the policy's +approval of course) using the **libselinux** API functions. The +`process setexec`, `process setkeycreate` and `process setsockcreate` +access vectors can be used to allow subjects to label processes, +kernel keyrings, and sockets programmatically using the +***setexec**(3)*, ***setkeycreatecon**(3)* and +***setsockcreatecon**(3)* functions respectively, overriding +transition statements. + +The `kernel` **initial security identifier** is used to associate +specified labels with subjects that were left unlabeled due to +system initialization. + +The `unlabeled` **initial security identifier** is used +to associate specified labels with subjects that had their label +invalidated due to policy changes at runtime. + ### Object Reuse As GNU / Linux runs it creates instances of objects and manages the
Elaborate on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- v2: fixes patch description v3: adding patch description, s/policies/policy's/, split unlabeled and kernel descriptions for clarity v4: fixes another typo in description and emphasize system initialization a bit src/objects.md | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-)