From: janos.milus@dataware.debis.hu
Subject: Re: A little patch - init security level and MAC categories and a
Date: Wed, 17 Jan 2001 11:24:48 +0100
Next Article (by Author): Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Previous Article (by Author): A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Top of Thread: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Next in Thread: Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Articles sorted by: [Date]
[Author]
[Subject]
(Sorry for the non standard reply type: if I want to send mail to the Internet, I must use Lotus Notes. That my company's policy) - IMHO theorethically the init is as common process as the shell or any other process in the system. The RSBAC should manage this process the same way as the others. As I known in the Bell-La Paula model when a process starting it got its owner's rights. So, when the init gets security level and MAC categories it should get it's owner, the root security level and categories. Not more nor less. - I think the solve of the problem of the device-less mount is not so simple. You can use RSBAC (and MAC) to build a very good jail: for example every file and directory in the system has 11000...0 MAC category, but there is a /sandbox directory which has 10000...0 category (and every file and directory under /sandbox has 10000...0 category of course). You can build a complet linux system under /sandbox and you can chroot to /sandbox. After it processess running in /sandbox can't break out. But if you can mount proc (becouse there is no attribute check) you can access some very dangerous thing, for example the kcore. Regards Janos Milus Amon Ott <ao@rsbac.org> on 2001.01.16 12:43:13 Please respond to RSBAC List <rsbac@rsbac.org> To: RSBAC List <rsbac@compuniverse.de> cc: Subject: Re: A little patch - init security level and MAC categories and a question On Fre, 12 Jan 2001 janos.milus@dataware.debis.hu wrote: > There is a little bug when process init registering in the version > 1.1.1-pre1. > Init got the default MAC categories and the default security level, not the > owner's (root's) security level and categories. > The patch is in attach against aci_data_structures.c > With this I can boot and log in to my computer, where the root (/) > directory > has more MAC categories. So far, init gets default categories and seclevel, defined in aci_data_structures.h. Maybe we should change these default settings to maximum, but keep root's on a minimum? > The question is: how can I set the MAC categories to a device, wich has > major/minor > numbers but has no inode under /dev ? For example the proc is not > mountable, > because it has default security level and categories. > (See attached file: patch) The problem is that device numbers for device-less mounts get dynamically assigned. What we could do is leave out the device attribute check for these devices - this is easy, because they always get major number 0. Amon. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body. - To unsubscribe from the rsbac list, send a mail to majordomo@rsbac.org with unsubscribe rsbac as single line in the body.
Next Article (by Author): Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Previous Article (by Author): A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Top of Thread: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Next in Thread: Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Articles sorted by: [Date]
[Author]
[Subject]