Hello,
I'd like commentary on the attached workflow for acl using SELinux. I've also posted this to the SELinux mailing list. An easier to read version is attached as ODT and available in PDF via the Jira (QPID-1838)
Thanks, -Josh I.Definitions A.In this narrative, "this Subject" means the process connecting to qpid. II.Determine the Action. A.If ACT_CREATE, ACT_DELETE:i.Determine the object type. If OBJ_QUEUE, determine if it is a server-side or client-side queue. ii.Determine if the Context of this Subject permits to CREATE or DELETE Objects in the parent Object? (i.e. are we allowed to create queues in this broker?) a)Determine this by searching the SELinux context list first by finding the map corresponding to object_type, then the map corresponding to the parent's name. TODO: how do we determine the parent from this object as passed in the Acl::authorise call?)
b)If this is not permitted, deny and return. iii.If command is create and Context does permit object creation: a)If this is OBJ_QUEUEDoes the Context of this Subject permit it to CREATE or DELETE queues of the type noted in i above? TODO: how do we represent "permitted to create server queue" and "permitted to create client queue" in the SELinux context list?
If Context does permit creation: Add an item in the SELinux context list for this object. Inherit this Object's context from the parent, OR Label according to the arguments passed in on the create call. Create the Object Return control Otherwise deny creation of object. b)If this is an OBJ_EXCHANGE, Add an item in the SELinux context list for this object. Inherit this Object's context from the parent, OR Label according to the arguments passed in on the create call. Create the Exchange. iv.If command is delete and Context does permit object deletion: Delete object as specified by method call. Delete object's reference in the SELinux context list.B.If ACT_CONSUME, ACT_PUBLISH, ACT_ACCESS, ACT_BIND, ACT_UNBIND, ACT_DELETE, ACT_PURGE, ACT_UPDATE: i.Determine if the Context of this Subject permits the noted action on the target Object:
a)Search the map of object types; when the target Object's Type is found, b)Search the resulting map for this Object's ID.c)Call security_compute_av to determine if this Subject is permitted to access the target Object with the Subject's context.
ii.If Yes: Allow iii.If No: Deny
SEL-Qpid-Workflow.odt
Description: application/vnd.oasis.opendocument.text
--------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
