On Tue, 2007-06-05 at 11:59 -0700, Ken wrote: > Ken wrote: > > What can be sent and received as rawip to and from kernel_t, and what > > are the limitations of what can be done with the data? I am interested > > in understanding the security implications of this (and other) SELinux > > permissions. Is there anyone who can direct me to reference materials > > that explain the security implications of allowing various SELinux > > permissions? > > > Update: > It appears that allowing rawip did not fix the problem, but that it was > only a coincidence that the site worked for me after making the change; > so understanding this permission is now less important to me. > > > I am assuming that since no one answered any of my emails regarding > permission documentation that there is none. With this this in mind, I > have a suggestion for those who have a good understanding of SELinux: > Please create documentation that will allow an individual to research > and understand the security implications of various permissions without > the need for taking the time to gain an extensive knowledge of the LSM > and SELinux. This would be very helpful to me (and I am sure to many > other people as well) since I only want to learn what I need to in order > to secure my system, and having a source of information would eliminate > the need to know enough to extract the information myself. Hi, There are some resources available, but not quite in the form that I think you wanted. 1) Reference policy documentation of its modules and interfaces locally viewable by running /usr/share/selinux/devel/policyhelp, or at: http://oss.tresys.com/docs/refpolicy/api/ I think that this is really more suited to what you want, except that it is done on the higher level abstractions/interfaces of refpolicy instead of the individual permissions (and it needs more detail). 2) Overview of Classes and Permissions http://www.tresys.com/selinux/obj_perms_help.html These describe the meaning of the classes and permissions, but only in general terms, not for specific domains/types. 3) SELinux Policy Writing Class Slides http://www.tresys.com/selinux/selinux-course-outline (click on the slide titles to download them) This helps with understanding the policy constructs in general, but won't give much detail about individual classes/perms except for the specific cases covered. 4) SELinux by Example book http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1 This has an appendix much like the overview in (2), but like (3), I think most of this book is more oriented toward the policy concepts and constructs than the individual classes/perms. 5) Original SELinux tech report http://www.nsa.gov/selinux/papers/slinux-abs.cfm This was the original description of the classes and permissions and their rationales, although there have naturally been changes over time. 6) LSM-based SELinux tech report http://www.nsa.gov/selinux/papers/module-abs.cfm This described how the implementation changed for LSM and mapped the LSM hooks to SELinux permission checks, so while it can be useful in understanding the checks, it is too tied to the implementation to really meet your request. I think we'd all agree that better end user documentation is needed. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list