SELinux Permission Documentation
Ken
mantaray_1 at cox.net
Sat Jun 9 00:34:49 UTC 2007
Stephen Smalley wrote:
> On Tue, 2007-06-05 at 11:59 -0700, Ken wrote:
>> Ken wrote:
>>> What can be sent and received as rawip to and from kernel_t, and what
>>> are the limitations of what can be done with the data? I am interested
>>> in understanding the security implications of this (and other) SELinux
>>> permissions. Is there anyone who can direct me to reference materials
>>> that explain the security implications of allowing various SELinux
>>> permissions?
>>>
>> Update:
>> It appears that allowing rawip did not fix the problem, but that it was
>> only a coincidence that the site worked for me after making the change;
>> so understanding this permission is now less important to me.
>>
>>
>> I am assuming that since no one answered any of my emails regarding
>> permission documentation that there is none. With this this in mind, I
>> have a suggestion for those who have a good understanding of SELinux:
>> Please create documentation that will allow an individual to research
>> and understand the security implications of various permissions without
>> the need for taking the time to gain an extensive knowledge of the LSM
>> and SELinux. This would be very helpful to me (and I am sure to many
>> other people as well) since I only want to learn what I need to in order
>> to secure my system, and having a source of information would eliminate
>> the need to know enough to extract the information myself.
>
> Hi,
>
> There are some resources available, but not quite in the form that I
> think you wanted.
>
> 1) Reference policy documentation of its modules and interfaces
> locally viewable by running /usr/share/selinux/devel/policyhelp, or at:
> http://oss.tresys.com/docs/refpolicy/api/
> I think that this is really more suited to what you want, except that it
> is done on the higher level abstractions/interfaces of refpolicy instead
> of the individual permissions (and it needs more detail).
>
> 2) Overview of Classes and Permissions
> http://www.tresys.com/selinux/obj_perms_help.html
> These describe the meaning of the classes and permissions, but only in
> general terms, not for specific domains/types.
>
> 3) SELinux Policy Writing Class Slides
> http://www.tresys.com/selinux/selinux-course-outline
> (click on the slide titles to download them)
> This helps with understanding the policy constructs in general, but
> won't give much detail about individual classes/perms except for the
> specific cases covered.
>
> 4) SELinux by Example book
> http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1
> This has an appendix much like the overview in (2), but like (3), I
> think most of this book is more oriented toward the policy concepts and
> constructs than the individual classes/perms.
>
> 5) Original SELinux tech report
> http://www.nsa.gov/selinux/papers/slinux-abs.cfm
> This was the original description of the classes and permissions and
> their rationales, although there have naturally been changes over time.
>
> 6) LSM-based SELinux tech report
> http://www.nsa.gov/selinux/papers/module-abs.cfm
> This described how the implementation changed for LSM and mapped the LSM hooks
> to SELinux permission checks, so while it can be useful in understanding
> the checks, it is too tied to the implementation to really meet your
> request.
>
> I think we'd all agree that better end user documentation is needed.
>
It will probably be a while before I can investigate all the material
you have listed, but I wanted to thank you before the post became too
old. I have already reviewed some of the material, and at present I
agree that it would be very helpful to have more detailed documentation
of the basic SELinux permissions.
- Ken -
More information about the fedora-selinux-list
mailing list