Runtime flexibility of SELInux

David P. Quigley selinux at davequigley.com
Wed Apr 25 01:25:43 UTC 2012


On 4/24/2012 1:37 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/24/2012 01:16 PM, Tim Sheppard wrote:
>> Hi,
>>
>> I am looking to use SELinux to secure a process that is made up of a number
>> of discrete, sequential stages. One stage communicates to the next by
>> writing results to a file and then an external process modifies the SELinux
>> context of the file to allow the next stage to read the file and so on
>> until the final stage is reached and the processing stops.
>>
>> The problem I have is that the number of stages is variable and can change
>> with each invocation of the process, i.e. when I create the process I know
>> the number of stages that will be required in it, but the number of stages
>> could change with each invocation. I think therefore, that I need a means
>> of creating new contexts on the fly and assigning them to the processes. Is
>> it possible with SELinux to create a new security context (domain for the
>> output file, and user/role for the stage process) on the fly and execute a
>> process within that context such that it could poll a directory for input
>> files and, if it is permitted to read the file perform its operation?
>>
>> Many Thanks,
>>
>> Tim Sheppard
>>
>>
> If each process is going to require the same approximate access. I would use
> MCS labeling for separation.
>
> Basically define a sandbox type for your processes to run within and then have
> your controlling app pick an MCS label for the process and the content.
>
> chcon -t confined_file_t -l s0:c1 passing.file
> runcon -t confined_proc_t -l s0:c1 proc1
> When done
> chcon -l s0:c2 passing.file
> runcon -t confined_proc_t -l s0:c2 proc2
> ...
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfsi3YsAou1lA4MY9
> gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
> =iHPC
> -----END PGP SIGNATURE-----
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

It sounds like you want an assured pipeline for your process. You should 
be able to search for that term on the selinuxproject.org wiki and find 
a demonstration of that concept on there. If its not there email Stephen 
Smalley and see what the status of that code is. I don't remember if we 
ever released it.

Dave



More information about the selinux mailing list