[redhat-lspp] Re: inotify_rm_watch behavior
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 12 14:10:21 UTC 2006
On Tue, 2006-09-12 at 09:45 -0400, Stephen Smalley wrote:
> Yes, I pointed this out during the "Syscalls questions" discussion back
> in June. Not sure why no one bothered adding such a constraint to MLS
> policy at the time. It would be something like:
> policy/mls:
> # No sharing of open file descriptions between levels unless
> # the process type is authorized to use fds created by
> # other levels (mlsfduse) or the fd type is authorized to
> # shared among levels (mlsfdshare).
> mlsconstrain fd use ( l1 eq l2 or t1 == mlsfduse or t2 == mlsfdshare);
>
> policy/modules/kernel/mls.te:
> attribute mlsfduse;
> attribute mlsfdshare;
>
> policy/modules/kernel/mls.if:
> interface(`mls_fd_use',`
> gen_require(`
> attribute mlsfduse;
> ')
>
> typeattribute $1 mlsfduse;
> ')
>
> interface(`mls_fd_share',`
> gen_require(`
> attribute mlsfdshare;
> ')
>
> typeattribute $1 mlsfdshare;
> ')
>
>
> And then one would add mls_fd_use() and mls_fd_share() as appropriate to
> types in the policy, e.g.
> policy/modules/system/selinuxtil.te:
> mls_fd_share(newrole_t)
>
> and likewise for login and friends.
>
> Naturally, one would need to exercise the system quite a bit to work out
> exactly what domains require such use/sharing.
BTW, the closest equivalent in the TE policy is the 'privfd' attribute
and the domain_interactive_fd() and domain_use_interactive_fd()
interfaces.
--
Stephen Smalley
National Security Agency
More information about the Linux-audit
mailing list