On Wed, 2008-07-16 at 12:12 -0400, Christopher J. PeBenito wrote:
> For those that are interested, the SELinux user-based separation policy
> is ready for some initial testing. It can be checked out from the
> rbacsep branch of the refpolicy SVN repo. Not all of the type aliases
> are in place for compatibility yet, so switching from an existing policy
> should be done in permissive.
>
> A question that comes up is how exactly to to determine which types
> should be constrained by ubac. The obvious answer would seem to be that
> if the user isn't system_u, then there should be ubac constraints on the
> access check. But the problem is that creating new files gets your
> selinux user on files. So if you look in /etc, you're likely to see non
> system_u files, such as ld.so.cache. The problem is that we don't want
> ubac constraints on these files. In addition, since there is no
> run_init on redhat (and possibly other distros) machines, restarted
> services would get non system_u users, which would also cause problems.
>
> My current implementation is actually more of an allow by default setup,
> where types are explicitly marked as being ubac constrained. Obviously
> deny by default would be preferred, but that would require all exempted
> types to be marked instead. The problem is the number of exempted types
> far outnumbers the constrained types. I'm open to suggestions on
> tweaking this design, especially if it gets us a deny by default without
> the pain of marking most types in the policy as exempted.
ping
This is the last call. I have not heard any comments from the
community. User-based separations have finished going through vetting
interally at Tresys; I plan to finalize this and then merge it into
trunk in the next week or so unless there are any objections raised.
This really needs to be tested by people whose projects depend on proper
role separations.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Friday 17 October 2008 06:01, "Christopher J. PeBenito"
<[email protected]> wrote:
> This really needs to be tested by people whose projects depend on proper
> role separations.
This is something that interests me, but I will have no time to look at it
until after Lenny is released.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
Christopher J. PeBenito wrote:
>
> ping
>
> This is the last call. I have not heard any comments from the
> community. User-based separations have finished going through vetting
> interally at Tresys; I plan to finalize this and then merge it into
> trunk in the next week or so unless there are any objections raised.
>
> This really needs to be tested by people whose projects depend on proper
> role separations.
>
>
I had to apply this patch to policy/constraints to get around a build error:
Index: constraints
===================================================================
--- constraints (revision 2873)
+++ constraints (working copy)
@@ -81,8 +81,11 @@
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
(
- basic_ubac_conditions
- or t1 == ubacproc
+ ifdef(`enable_ubac',`
+ basic_ubac_conditions
+ or
+ ')
+ t1 == ubacproc
);
constrain process { transition noatsecure siginh rlimitinh }
--
Eamon Walsh <[email protected]>
National Security Agency
On Thu, 2008-11-13 at 14:30 -0500, Eamon Walsh wrote:
> Christopher J. PeBenito wrote:
> >
> > ping
> >
> > This is the last call. I have not heard any comments from the
> > community. User-based separations have finished going through vetting
> > interally at Tresys; I plan to finalize this and then merge it into
> > trunk in the next week or so unless there are any objections raised.
> >
> > This really needs to be tested by people whose projects depend on proper
> > role separations.
>
> I had to apply this patch to policy/constraints to get around a build error:
>
> Index: constraints
> ===================================================================
> --- constraints (revision 2873)
> +++ constraints (working copy)
> @@ -81,8 +81,11 @@
>
> constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
> (
> - basic_ubac_conditions
> - or t1 == ubacproc
> + ifdef(`enable_ubac',`
> + basic_ubac_conditions
> + or
> + ')
> + t1 == ubacproc
> );
>
> constrain process { transition noatsecure siginh rlimitinh }
I put the whole constraint in the enable_ubac. If UBAC is disabled, we
don't want the t1 == ubacproc to still be a constraint.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150