FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-24-2012, 05:37 PM
Daniel J Walsh
 
Default Runtime flexibility of SELInux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:
> Hi,
>
> I am looking to use SELinux to secure a process that is made up of a number
> of discrete, sequential stages. One stage communicates to the next by
> writing results to a file and then an external process modifies the SELinux
> context of the file to allow the next stage to read the file and so on
> until the final stage is reached and the processing stops.
>
> The problem I have is that the number of stages is variable and can change
> with each invocation of the process, i.e. when I create the process I know
> the number of stages that will be required in it, but the number of stages
> could change with each invocation. I think therefore, that I need a means
> of creating new contexts on the fly and assigning them to the processes. Is
> it possible with SELinux to create a new security context (domain for the
> output file, and user/role for the stage process) on the fly and execute a
> process within that context such that it could poll a directory for input
> files and, if it is permitted to read the file perform its operation?
>
> Many Thanks,
>
> Tim Sheppard
>
>
If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfs i3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-25-2012, 01:25 AM
"David P. Quigley"
 
Default Runtime flexibility of SELInux

On 4/24/2012 1:37 PM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:

Hi,

I am looking to use SELinux to secure a process that is made up of a number
of discrete, sequential stages. One stage communicates to the next by
writing results to a file and then an external process modifies the SELinux
context of the file to allow the next stage to read the file and so on
until the final stage is reached and the processing stops.

The problem I have is that the number of stages is variable and can change
with each invocation of the process, i.e. when I create the process I know
the number of stages that will be required in it, but the number of stages
could change with each invocation. I think therefore, that I need a means
of creating new contexts on the fly and assigning them to the processes. Is
it possible with SELinux to create a new security context (domain for the
output file, and user/role for the stage process) on the fly and execute a
process within that context such that it could poll a directory for input
files and, if it is permitted to read the file perform its operation?

Many Thanks,

Tim Sheppard



If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfs i3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


It sounds like you want an assured pipeline for your process. You should
be able to search for that term on the selinuxproject.org wiki and find
a demonstration of that concept on there. If its not there email Stephen
Smalley and see what the status of that code is. I don't remember if we
ever released it.


Dave

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-25-2012, 08:41 AM
Tim Sheppard
 
Default Runtime flexibility of SELInux

On 24/04/12 18:37, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:

Hi,

I am looking to use SELinux to secure a process that is made up of a number
of discrete, sequential stages. One stage communicates to the next by
writing results to a file and then an external process modifies the SELinux
context of the file to allow the next stage to read the file and so on
until the final stage is reached and the processing stops.

The problem I have is that the number of stages is variable and can change
with each invocation of the process, i.e. when I create the process I know
the number of stages that will be required in it, but the number of stages
could change with each invocation. I think therefore, that I need a means
of creating new contexts on the fly and assigning them to the processes. Is
it possible with SELinux to create a new security context (domain for the
output file, and user/role for the stage process) on the fly and execute a
process within that context such that it could poll a directory for input
files and, if it is permitted to read the file perform its operation?

Many Thanks,

Tim Sheppard



If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfs i3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----

Daniel,

Many Thanks, I'll look into MCS a bit more then. The other requirement I
have to to be able to do this all programatically with C/C++ rather than
via bash. I assume that as there is a bash command there are comparable
function calls?


Cheers,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-25-2012, 09:37 AM
Tim Sheppard
 
Default Runtime flexibility of SELInux

On 24/04/12 18:37, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:

Hi,

I am looking to use SELinux to secure a process that is made up of a number
of discrete, sequential stages. One stage communicates to the next by
writing results to a file and then an external process modifies the SELinux
context of the file to allow the next stage to read the file and so on
until the final stage is reached and the processing stops.

The problem I have is that the number of stages is variable and can change
with each invocation of the process, i.e. when I create the process I know
the number of stages that will be required in it, but the number of stages
could change with each invocation. I think therefore, that I need a means
of creating new contexts on the fly and assigning them to the processes. Is
it possible with SELinux to create a new security context (domain for the
output file, and user/role for the stage process) on the fly and execute a
process within that context such that it could poll a directory for input
files and, if it is permitted to read the file perform its operation?

Many Thanks,

Tim Sheppard



If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfs i3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----
The other thing I need to be able to do is constrain a process to only
permit it to change a context from c1 -> c2 (or label1 -> label2 in the
general case). Is this possible to manage in a policy at all and if so
is there any runtime flexibility over the rules that can be created to
allow me to specify the only legal changes are c1 -> c2 -> c3 -> end for
process1-1 and c1 -> c2 -> c3 -> c4-> c5 -> end for process1-2.
Essentially, I need to be able to ensure that a process cannot change
the security labelling to bypass a stage in the chain.


Many Thanks,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-25-2012, 12:23 PM
Stephen Smalley
 
Default Runtime flexibility of SELInux

On Tue, 2012-04-24 at 21:25 -0400, David P. Quigley wrote:
> It sounds like you want an assured pipeline for your process. You should
> be able to search for that term on the selinuxproject.org wiki and find
> a demonstration of that concept on there. If its not there email Stephen
> Smalley and see what the status of that code is. I don't remember if we
> ever released it.

http://selinuxproject.org/page/PipelineDemo

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-25-2012, 12:40 PM
Stephen Smalley
 
Default Runtime flexibility of SELInux

On Wed, 2012-04-25 at 10:37 +0100, Tim Sheppard wrote:
> The other thing I need to be able to do is constrain a process to only
> permit it to change a context from c1 -> c2 (or label1 -> label2 in the
> general case). Is this possible to manage in a policy at all and if so
> is there any runtime flexibility over the rules that can be created to
> allow me to specify the only legal changes are c1 -> c2 -> c3 -> end for
> process1-1 and c1 -> c2 -> c3 -> c4-> c5 -> end for process1-2.
> Essentially, I need to be able to ensure that a process cannot change
> the security labelling to bypass a stage in the chain.

That's more easily expressed via Type Enforcement (which supports
intransitive relationships) than MLS. Type Enforcement is what is
normally used for assured pipelines. Some people have instead modeled
assured pipelines using MLS categories by using incomparable category
sets on the input and output sides of each stage and clever
configuration, but that's more complicated and less precise in its
control of the information flow.

With regard to runtime flexibility, there isn't presently a way to
programmatically instantiate new domains and types; your application can
only use ones that are already defined in the policy. So options might
include:
- Ship a policy module with your application that defines the maximal
set of domains/types ever required for one of these pipelines, and then
your application can just use the relevant subset for any given
instance, or

- Implement some kind of userspace daemon that runs with privilege (and
thus can load policy) and accepts requests to instantiate new pipeline
stage domains and types, generates new policy modules to define them,
and loads them (I think maybe some folks from Tresys have done this in
the past?).

Or you could always extend SELinux to directly support such
functionality, but that would be a larger project (and require a custom
kernel).

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-26-2012, 02:04 PM
Tim Sheppard
 
Default Runtime flexibility of SELInux

Many Thanks,

I will look into the Secure Pipelines and policy delivery / update options.

Regards,

Tim

On 25/04/12 13:40, Stephen Smalley wrote:

On Wed, 2012-04-25 at 10:37 +0100, Tim Sheppard wrote:

The other thing I need to be able to do is constrain a process to only
permit it to change a context from c1 -> c2 (or label1 -> label2 in the
general case). Is this possible to manage in a policy at all and if so
is there any runtime flexibility over the rules that can be created to
allow me to specify the only legal changes are c1 -> c2 -> c3 -> end for
process1-1 and c1 -> c2 -> c3 -> c4-> c5 -> end for process1-2.
Essentially, I need to be able to ensure that a process cannot change
the security labelling to bypass a stage in the chain.

That's more easily expressed via Type Enforcement (which supports
intransitive relationships) than MLS. Type Enforcement is what is
normally used for assured pipelines. Some people have instead modeled
assured pipelines using MLS categories by using incomparable category
sets on the input and output sides of each stage and clever
configuration, but that's more complicated and less precise in its
control of the information flow.

With regard to runtime flexibility, there isn't presently a way to
programmatically instantiate new domains and types; your application can
only use ones that are already defined in the policy. So options might
include:
- Ship a policy module with your application that defines the maximal
set of domains/types ever required for one of these pipelines, and then
your application can just use the relevant subset for any given
instance, or

- Implement some kind of userspace daemon that runs with privilege (and
thus can load policy) and accepts requests to instantiate new pipeline
stage domains and types, generates new policy modules to define them,
and loads them (I think maybe some folks from Tresys have done this in
the past?).

Or you could always extend SELinux to directly support such
functionality, but that would be a larger project (and require a custom
kernel).




This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 09:28 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org