On Wed, 2006-10-25 at 08:22 -0400, Stephen Smalley wrote: > To elaborate, as I understood it, seusers (managed via semanage login) > was to provide per-Linux-user authorizations for MLS/MCS ranges, while > multiple such Linux users might be mapped to a single SELinux user that > was authorized for the full system range. The login-style programs > would then ensure that the range in the initial security context for the > Linux user's session was limited by the value defined in seusers, and > SELinux policy would subsequently ensure that processes in that session > can not escalate outside of that range via newrole -l (or other > mechanism).
My understanding is that while security_check_context() allows it, the setexeccon() will fail. Which seemed to be good enough. > It isn't sufficient to check the validity of the context with the > user-supplied level, because from the kernel's POV, any level might be > authorized for the underlying SELinux user identity, whereas seusers > might have defined a more restricted range for the Linux user identity. > You need a check between the user-supplied level and the seusers-defined > value (more generally, this could be an avc_has_perm or > security_compute_av check between contexts containing those levels, and > the underlying policy could define a mlsconstrain on the corresponding > permission). -- James Antill - <[EMAIL PROTECTED]> setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...); setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...); setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
