Stephen Smalley wrote:
On Tue, 2007-06-05 at 11:59 -0700, Ken wrote:
Ken wrote:
What can be sent and received as rawip to and from kernel_t, and what
are the limitations of what can be done with the data? I am interested
in understanding the security implications of this (and other) SELinux
permissions. Is there anyone who can direct me to reference materials
that explain the security implications of allowing various SELinux
permissions?
Update:
It appears that allowing rawip did not fix the problem, but that it was
only a coincidence that the site worked for me after making the change;
so understanding this permission is now less important to me.
I am assuming that since no one answered any of my emails regarding
permission documentation that there is none. With this this in mind, I
have a suggestion for those who have a good understanding of SELinux:
Please create documentation that will allow an individual to research
and understand the security implications of various permissions without
the need for taking the time to gain an extensive knowledge of the LSM
and SELinux. This would be very helpful to me (and I am sure to many
other people as well) since I only want to learn what I need to in order
to secure my system, and having a source of information would eliminate
the need to know enough to extract the information myself.
Hi,
There are some resources available, but not quite in the form that I
think you wanted.
1) Reference policy documentation of its modules and interfaces
locally viewable by running /usr/share/selinux/devel/policyhelp, or at:
http://oss.tresys.com/docs/refpolicy/api/
I think that this is really more suited to what you want, except that it
is done on the higher level abstractions/interfaces of refpolicy instead
of the individual permissions (and it needs more detail).
2) Overview of Classes and Permissions
http://www.tresys.com/selinux/obj_perms_help.html
These describe the meaning of the classes and permissions, but only in
general terms, not for specific domains/types.
3) SELinux Policy Writing Class Slides
http://www.tresys.com/selinux/selinux-course-outline
(click on the slide titles to download them)
This helps with understanding the policy constructs in general, but
won't give much detail about individual classes/perms except for the
specific cases covered.
4) SELinux by Example book
http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1
This has an appendix much like the overview in (2), but like (3), I
think most of this book is more oriented toward the policy concepts and
constructs than the individual classes/perms.
5) Original SELinux tech report
http://www.nsa.gov/selinux/papers/slinux-abs.cfm
This was the original description of the classes and permissions and
their rationales, although there have naturally been changes over time.
6) LSM-based SELinux tech report
http://www.nsa.gov/selinux/papers/module-abs.cfm
This described how the implementation changed for LSM and mapped the LSM hooks
to SELinux permission checks, so while it can be useful in understanding
the checks, it is too tied to the implementation to really meet your
request.
I think we'd all agree that better end user documentation is needed.
It will probably be a while before I can investigate all the material
you have listed, but I wanted to thank you before the post became too
old. I have already reviewed some of the material, and at present I
agree that it would be very helpful to have more detailed documentation
of the basic SELinux permissions.
- Ken -
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list