SELinux Testing Software/Scripts

[Luke Kenneth Casson Leighton]

On Sat, Oct 16, 2004 at 09:56:41AM -0400, Alex Ackerman wrote:

> capabilities of SELinux; i.e., making sure that SELinux functions as
> advertised when dealing with events of escalating privilege. 

 just a comment [other than privilege means private law]:

 as i understand it, there is no "escalation" present in SE/Linux,
 only that assigned in the minds of us humans.

 a good analogy for the way that SE/Linux works is door-cards and
 guards.

 outside a building, you are given a door-card by a guard: depending
 on whether you are on a list, your door-card will now give you
 access a) to an entry point into the building b) the right to go
 through certain doors inside that building.

 at _some_ doors inside the building, there will be another guard.

 if you attempt to go through a door (assuming your card allows you to
 do that), the guard will, depending on whether you are on a list, TAKE
 AWAY your present card and GIVE YOU A TOTALLY DIFFERENT ONE.

 that card might, or might not, give you the right to go back through
 the door you have just gone through (!).

 so, you can enter the university building, use your card to get into
 the lecture theatre, but your card is taken away from you when you
 enter the lecture theatre, and the card you are given only allows you
 to go to the toilet or to the exit out the building.

 in this "world", there is no "escalation" as such.

 certain rooms are only allowed to be accessed by certain people who have
 certain cards: you can only get to a certain place via a specific route
 if you are the right person.

 that's a bit different from "escalating privilege" because that implies
 hierarchy, which SE/Linux doesn't have, per-se.

 l.

 p.s. if this analogy sounds a bit weird, to help you tie it into selinux,
 the guards swapping cards at doors is managed by "domain_auto_trans".