Re: A little patch - init security level and MAC categories and a


From: janos.milus@dataware.debis.hu
Subject: Re: A little patch - init security level and MAC categories and a
Date: Wed, 17 Jan 2001 11:24:48 +0100

Next Article (by Date): Re: A little patch - init security level and MAC categories and a question Amon Ott
Previous Article (by Date): Phil
Top of Thread: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Next in Thread: Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Articles sorted by: [Date] [Author] [Subject]


(Sorry for the non standard reply type: if I want to send mail to the
Internet,
I must use Lotus Notes. That my company's policy)

- IMHO theorethically the init is as common process as the shell or any
other process in the system. The RSBAC should manage this process the same
way as the others. As I known in the Bell-La Paula model when a process
starting it got its owner's rights.  So, when the init gets security level
and MAC categories it should get it's owner, the root security level and
categories. Not more nor less.

- I think the solve of the problem of the device-less mount is not so
simple. You can use RSBAC (and MAC) to build a very good jail: for example
every file and directory in the system has 11000...0 MAC category, but
there is a /sandbox directory which has 10000...0 category (and every file
and directory under /sandbox has 10000...0 category of course). You can
build a complet linux system under /sandbox and you can chroot to /sandbox.
After it processess running in /sandbox can't break out. But if you can
mount proc (becouse there is no attribute check) you can access some very
dangerous thing, for example the kcore.

Regards
Janos Milus




Amon Ott <ao@rsbac.org> on 2001.01.16 12:43:13

Please respond to RSBAC List <rsbac@rsbac.org>

To:   RSBAC List <rsbac@compuniverse.de>
cc:

Subject:  Re: A little patch - init security level and MAC categories and a
      question




On Fre, 12 Jan 2001 janos.milus@dataware.debis.hu wrote:
> There is a little bug when process init registering in the version
> 1.1.1-pre1.
> Init got the default MAC categories and the default security level, not
the
> owner's (root's) security level and categories.
> The patch is in attach against aci_data_structures.c
> With this I can boot and log in to my computer, where the root (/)
> directory
> has more MAC categories.

So far, init gets default categories and seclevel, defined in
aci_data_structures.h. Maybe we should change these default settings to
maximum, but keep root's on a minimum?

> The question is: how can I set the MAC categories to a device, wich has
> major/minor
> numbers but has no inode under /dev ? For example the proc is not
> mountable,
> because it has default security level and categories.
> (See attached file: patch)

The problem is that device numbers for device-less mounts get dynamically
assigned.

What we could do is leave out the device attribute check for these devices
-
this is easy, because they always get major number 0.

Amon.
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.






-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): Re: A little patch - init security level and MAC categories and a question Amon Ott
Previous Article (by Date): Phil
Top of Thread: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Next in Thread: Re: A little patch - init security level and MAC categories and a janos.milus@dataware.debis.hu
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.