Runtime flexibility of SELInux

Daniel J Walsh dwalsh at redhat.com
Tue Apr 24 17:37:50 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2012 01:16 PM, Tim Sheppard wrote:
> Hi,
> 
> I am looking to use SELinux to secure a process that is made up of a number
> of discrete, sequential stages. One stage communicates to the next by
> writing results to a file and then an external process modifies the SELinux
> context of the file to allow the next stage to read the file and so on
> until the final stage is reached and the processing stops.
> 
> The problem I have is that the number of stages is variable and can change
> with each invocation of the process, i.e. when I create the process I know
> the number of stages that will be required in it, but the number of stages
> could change with each invocation. I think therefore, that I need a means
> of creating new contexts on the fly and assigning them to the processes. Is
> it possible with SELinux to create a new security context (domain for the
> output file, and user/role for the stage process) on the fly and execute a
> process within that context such that it could poll a directory for input
> files and, if it is permitted to read the file perform its operation?
> 
> Many Thanks,
> 
> Tim Sheppard
> 
> 
If each process is going to require the same approximate access. I would use
MCS labeling for separation.

Basically define a sandbox type for your processes to run within and then have
your controlling app pick an MCS label for the process and the content.

chcon -t confined_file_t -l s0:c1 passing.file
runcon -t confined_proc_t -l s0:c1 proc1
When done
chcon -l s0:c2 passing.file
runcon -t confined_proc_t -l s0:c2 proc2
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfsi3YsAou1lA4MY9
gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
=iHPC
-----END PGP SIGNATURE-----


More information about the selinux mailing list