Off-line attacks protection for a domain confined with SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello all

i'm wondering what assumptions must be made in order to assure that the domain 
"domX" is the only subject allowed to access a file with type "typeY" in a 
system where off-line attacks are possible and an integrity check on files and 
labels in the overall filesystem is not applicable due to the high performance 
penalty.
 
These are the hypothesis i think are required:
1) kernel with SELinux, with policy loading and enforcing mode setting 
disabled at runtime;
2) there is an integrity system stacked with SELinux which is able to 
grant/deny access depending on the hash and the label of files (checks will be 
performed only a subset of files, as described in the following points);
3)"local_login_t" is the only domain allowed to change the process label;
4) every file used by the type "local_login_t" is integrity protected (i need 
to build a list files used by this process and to specify a valid hash)
5) the regular user which plays with "domX"  is mapped with the selinux user 
"user_t" (probably i need extra assumptions to protect the mapping);
6) "domX_exec_t" is the only entrypoint for "domX";
7) the label "domX_exec_t" is bound to the executable and its hash (the 
association is verified at execution time);
8) the transition "user_t -> domX" has been defined when executing a file 
labeled with "domX_exec_t";
9) for now i assume that the user root is not involved in this use case;
10) file labelled with "typeY" are protected and the label is bound to the 
hash (the association will be verified at access time);
11) none subject is authorized to relabelfrom "typeY";

Then when defining the rule:
allow domX typeY: file { getattr open read }; 

can i say that files labelled with typeY can be read only by the process 
started from the executable labelled with "domX_exec_t"?

Thanks in advance for replies

Attachment: smime.p7s
Description: S/MIME cryptographic signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux