Off-line attacks protection for a domain confined with SELinux
Dominick Grift
domg472 at gmail.com
Fri Feb 19 14:53:54 UTC 2010
On 02/19/2010 03:37 PM, Roberto Sassu wrote:
> Hello all
>
> i'm wondering what assumptions must be made in order to assure that the domain
> "domX" is the only subject allowed to access a file with type "typeY" in a
> system where off-line attacks are possible and an integrity check on files and
> labels in the overall filesystem is not applicable due to the high performance
> penalty.
>
> These are the hypothesis i think are required:
> 1) kernel with SELinux, with policy loading and enforcing mode setting
> disabled at runtime;
> 2) there is an integrity system stacked with SELinux which is able to
> grant/deny access depending on the hash and the label of files (checks will be
> performed only a subset of files, as described in the following points);
> 3)"local_login_t" is the only domain allowed to change the process label;
> 4) every file used by the type "local_login_t" is integrity protected (i need
> to build a list files used by this process and to specify a valid hash)
> 5) the regular user which plays with "domX" is mapped with the selinux user
> "user_t" (probably i need extra assumptions to protect the mapping);
> 6) "domX_exec_t" is the only entrypoint for "domX";
> 7) the label "domX_exec_t" is bound to the executable and its hash (the
> association is verified at execution time);
> 8) the transition "user_t -> domX" has been defined when executing a file
> labeled with "domX_exec_t";
> 9) for now i assume that the user root is not involved in this use case;
> 10) file labelled with "typeY" are protected and the label is bound to the
> hash (the association will be verified at access time);
> 11) none subject is authorized to relabelfrom "typeY";
>
> Then when defining the rule:
> allow domX typeY: file { getattr open read };
type typeY;
fs_associate(typeY)
If you use above to declare/make usable your type than nothing has
access to it (i believe).
Now you can define rules to allow access to the type.
if you declare/make usable typeY as below:
type typeY;
files_type(typeY)
Than the file_type attribute is assigned to your typeY.
Some processes have access to the file_type attribute thus typeY in
example above.
> can i say that files labelled with typeY can be read only by the process
> started from the executable labelled with "domX_exec_t"?
>
> Thanks in advance for replies
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100219/83f862d8/attachment.bin
More information about the selinux
mailing list