From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 12 Aug 2011 10:00:09 -0400 Subject: [refpolicy] Status and discussion about rbacsep In-Reply-To: <4E451F9D.1060807@tresys.com> References: <4E2F0B0D.9050206@tresys.com> <1311707249.11418.19.camel@vortex>, <20110727204704.606662e8q76lz3sw@webmail.tuffmail.net>, <4E318362.4000103@tresys.com> <4E451F9D.1060807@tresys.com> Message-ID: <4E4531E9.7020302@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/12/11 08:42, Christopher J. PeBenito wrote: > On 08/11/11 03:03, HarryCiao wrote: >> Hi Chris, >> >> These days I read through your discussions about rbacsep way back to >> 2008. At that time you'd pointed out a todo list for full rbac >> separation support: >> >> 1. Kernel's recognition of role_transition rule for non process classes; >> >> 2. Role attribute support as in below rbacsep constrain: >> >> constrain { dir file ... } { getattr read write .... } >> r1 == r2 >> or r1 == system_r >> or r2 == object_r >> or r1 == rbac_subj_role_file_exempt >> or r2 == rbac_obj_role_file_exempt >> or t1 == rbac_subj_type_file_exempt >> or t2 == rbac_obj_type_file_exempt; >> >> 3. Add a new "role_change" rule and modify login/newrole program to >> change controlling terminal's role according to that of user; >> >> 4. Add a new "role_member" rule for polyinstantiation support; >> >> 5. genhomedircon updated for role; >> *6. Move the policy to initialize newcontext from security_compute_sid() >> in kernel up to refpolicy, by introducing new rules such as(suggested by >> Stephen, not directly related with rbacsep): >> >> role_default {process socket ...} fromsource; >> type_default {process socket ...} fromsource; >> role_default {file dir ...} fromtarget; >> type_default {file dir ...} fromtarget; > > I don't remember this one. > >> Here are my comments and questions: >> >> As for 1, it has been done since we have added the class support to the >> role_transition rule. Refpolicy could have whatever needed rules added >> to transition the role of files/dirs from object_r; >> >> As for 2, it has been done too since we have added the role attribute >> support; >> >> As for 3 & 4, it won't be difficult for us to add these two new rules, >> but I have not understand clear yet the influence and meanings of the >> role_change rule, could you explain it a bit more? > > Well we've had role_change rules since the ancient times. Its purpose > is to inform userspace apps how to relabel a user's terminal when they > change roles. IIRC, the point with this one is that applications that use this (eg login, newrole) would need to change the role on the terminal too. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com