Stephen Smalley wrote:
On Tue, 2005-01-04 at 10:21, Mike Hearn wrote:
A daemon that fixes contexts as files are added feels rather racy. I'm sure I'm missing a lot of context from previous discussions on the matter here, but perhaps the kernel should set the context automatically when a new file is created in certain directories that are marked as "autofix".
OK so then we have the problem that the context setting code is all done
in userspace with regexs and other un-kernely things. Maybe there needs to
be a framework in the kernel where a thread that does a file creation can
be suspended and the kernel invokes a user-space program with the file
path to figure out what the context should be. Once the process returns
with the answer the file can be atomically created/set and the original
thread resumes.
To clarify, the file_contexts configuration is only really intended to
initialize the security contexts for a filesystem at install-time. After that point, you shouldn't be setting file contexts based on
pathnames, as they don't convey the desired information about the real
security properties of the object. Instead, you want the file to be
labeled based on the creating process domain and parent directory type
(which is what the kernel does), and allow security-aware applications
to further customize the context if necessary for finer-grained labeling
(which is already supported via the libselinux API). Pathname-based
security considered harmful.
But inode based automagic labeling is gonna be needed, and the aliasing problems due to path in order to accomplish same can be handled.
JMHO, policy still congealing.
73 de Jeff
