From patchwork Thu Jul 16 11:18:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11667177 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7FFED13A4 for ; Thu, 16 Jul 2020 11:18:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 657FE207F9 for ; Thu, 16 Jul 2020 11:18:55 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="WhyLoHtB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728092AbgGPLSz (ORCPT ); Thu, 16 Jul 2020 07:18:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46200 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726350AbgGPLSy (ORCPT ); Thu, 16 Jul 2020 07:18:54 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AAE60C061755 for ; Thu, 16 Jul 2020 04:18:54 -0700 (PDT) Received: from localhost.localdomain (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 54DE42A1010; Thu, 16 Jul 2020 13:18:53 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 54DE42A1010 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1594898333; bh=1YRt9E1IulxhEh/MJgL0++z37ITYwTtyXZPlrL4/gsU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WhyLoHtB/njRrwu+d7J+QX2cMzIFeYFRLlTfTO1o3ZKY85dvpXv7IW52n9n9MSLrG RRBkS3aM7hGpFZF64E+EAitkvwn36RmwfqzTC2XtErFDpp0KO5DTM6viVzUE7RpXPy MO2PL1JydWAOcFd5IV+37LzfStn14FLk8UWHZ0Ps= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [SELinux-notebook PATCH v3] objects.md: some clarifications Date: Thu, 16 Jul 2020 13:18:25 +0200 Message-Id: <20200716111825.953813-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Elaborate is bit on labeling. Touch on the significance of the default statement, on various av permissions related to labeling using the libselinux API, and on how the kernel and unlabeled initial security identifiers are used to address labeling challenges in special cases such as initialization and failover respectively. Signed-off-by: Dominick Grift --- v2: fixes patch description v3: adding patch description, s/policies/policy's/, spit unlabeled and kernel descriptions to clarify src/objects.md | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/src/objects.md b/src/objects.md index 58664ef..55c7ea1 100644 --- a/src/objects.md +++ b/src/objects.md @@ -110,14 +110,20 @@ objects is managed by the system and generally unseen by the users (until labeling goes wrong !!). As processes and objects are created and destroyed, they either: -1. Inherit their labels from the parent process or object. +1. Inherit their labels from the parent process or object. The policy + default type, role and range statements can be used to change the + behavior as discussed in the [**Default Rules**](default_rules.md#default-object-rules) + section. 2. The policy type, role and range transition statements allow a different label to be assigned as discussed in the [**Domain and Object Transitions**](domain_object_transitions.md#domain-and-object-transitions) section. 3. SELinux-aware applications can enforce a new label (with the - policies approval of course) using the **libselinux** API - functions. + policy's approval of course) using the **libselinux** API + functions. The `process setfscreate` access vector can be used to + allow subjects to create files with a new label programmatically + using the ***setfscreatecon**(3)* function, overriding default + rules and transition statements. 4. An object manager (OM) can enforce a default label that can either be built into the OM or obtained via a configuration file (such as those used by @@ -269,6 +275,23 @@ and manage their transition: `type_transition`, `role_transition` and `range_transition` +SELinux-aware applications can enforce a new label (with the policy's +approval of course) using the **libselinux** API functions. The +`process setexec`, `process setkeycreate` and `process setsockcreate` +access vectors can be used to allow subjects to label processes, +kernel keyrings, and sockets programmatically using the +***setexec**(3)*, ***setkeycreatecon**(3)* and +***setsockcreatecon**(3)* functions respectively, overriding +transition statements. + +The `kernel` **initial security identifier** is used to associate +specified labels with subjects that were left unlabeled due to +initialization. + +The `unlabeled` **initial security identifier** is used +to associate specified labels with subjects that had their label +invalidated due to policy changes at runtime. + ### Object Reuse As GNU / Linux runs it creates instances of objects and manages the