Runtime flexibility of SELInux

Tim Sheppard tsheppard at taz.qinetiq.com
Wed Apr 25 08:41:40 UTC 2012


On 24/04/12 18:37, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/24/2012 01:16 PM, Tim Sheppard wrote:
>> Hi,
>>
>> I am looking to use SELinux to secure a process that is made up of a number
>> of discrete, sequential stages. One stage communicates to the next by
>> writing results to a file and then an external process modifies the SELinux
>> context of the file to allow the next stage to read the file and so on
>> until the final stage is reached and the processing stops.
>>
>> The problem I have is that the number of stages is variable and can change
>> with each invocation of the process, i.e. when I create the process I know
>> the number of stages that will be required in it, but the number of stages
>> could change with each invocation. I think therefore, that I need a means
>> of creating new contexts on the fly and assigning them to the processes. Is
>> it possible with SELinux to create a new security context (domain for the
>> output file, and user/role for the stage process) on the fly and execute a
>> process within that context such that it could poll a directory for input
>> files and, if it is permitted to read the file perform its operation?
>>
>> Many Thanks,
>>
>> Tim Sheppard
>>
>>
> If each process is going to require the same approximate access. I would use
> MCS labeling for separation.
>
> Basically define a sandbox type for your processes to run within and then have
> your controlling app pick an MCS label for the process and the content.
>
> chcon -t confined_file_t -l s0:c1 passing.file
> runcon -t confined_proc_t -l s0:c1 proc1
> When done
> chcon -l s0:c2 passing.file
> runcon -t confined_proc_t -l s0:c2 proc2
> ...
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk+W5O4ACgkQrlYvE4MpobNfcgCdHfJl2HRNfsi3YsAou1lA4MY9
> gfIAoNzG8u5W3o9f7LUAixBSxvaLyXyE
> =iHPC
> -----END PGP SIGNATURE-----
Daniel,

Many Thanks, I'll look into MCS a bit more then. The other requirement I 
have to to be able to do this all programatically with C/C++ rather than 
via bash. I assume that as there is a bash command there are comparable 
function calls?

Cheers,

Tim

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.


More information about the selinux mailing list