On Wed, 2009-07-29 at 09:10 -0400, Stephen Smalley wrote: > On Wed, 2009-07-29 at 23:01 +1000, James Morris wrote: > > On Wed, 29 Jul 2009, Stephen Smalley wrote: > > > > > So I think the only piece of the proposal that is orthogonal to SELinux > > > is privilege bracketing within the program (dropping caps after use). > > > But the changes to the file and directory permissions seem more > > > questionable. > > > > Once we have access control on policy itself, we may be able to provide an > > API where an application can toggle a boolean on itself, e.g. to perform > > one action with broader permissions, then switch to a tighter set of > > permissions. This might be implementable in a way which also prevents > > applications from ever gaining more permissions (via typebounds). > > We can actually already apply fine-grained access control on temporary > changes to booleans - just specify a distinct label for the boolean in > policy (via genfscon selinuxfs entries) and then control who can write > to that file type. > > However, note that such changes affect all processes running in a given > domain, so it isn't precisely the same thing as process privilege > bracketing. If you want something more akin to privilege bracketing within a program, then a closer analog in SELinux would be setcon(3) to switch to a more restricted domain. But in general our goal is to enforce security goals at the system level and not depend on the correctness of the application to shed privilege. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
