Re: user guide drafts: Maintaining SELinux Labels

[Murray McAllister <mmcallis@xxxxxxxxxx>]

Stephen Smalley wrote:
> On Thu, 2008-10-09 at 10:26 +1000, Murray McAllister wrote:
> > Clarkson, Mike R (US SSA) wrote:
> > > > -----Original Message-----
> > > > From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-selinux@xxxxxxxxxxxxx]
> > > On
> > > > Behalf Of Glenn Faden
> > > > Sent: Wednesday, October 08, 2008 8:46 AM
> > > > To: Daniel J Walsh
> > > > Cc: Murray McAllister; SE Linux
> > > > Subject: Re: user guide drafts: Maintaining SELinux Labels
> > > >
> > > > Daniel J Walsh wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > Murray McAllister wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > The following are the first few drafts of the "Maintaining SELinux
> > > > > > Labels" sections. Any comments and corrections are appreciated.
> > > > > >
> > > > > > Cheers.
> > > > > >
> > > > > > Copying Files and Directories
> > > > > >
> > > > > > When files and directories are copied, they inherit the SELinux
> > > context
> > > > > > of the parent directory they are copied to. This helps ensure files
> > > and
> > > > > > directories are labeled with the correct SELinux context after
> > > being
> > > > > > moved. The following example demonstrates copying a file from a
> > > user's
> > > > > > home directory to /var/www/html/, which is used by the Apache HTTP
> > > > > > Server. Since the file is copied, it inherits the correct SELinux
> > > > context:
> > > > Is this true when using MLS policy? Assuming the policy allows a
> > > subject
> > > > to create a file in a directory, shouldn't the newly created file's
> > > > SELinux context have the same sensitivity as the subject who wrote it?
> > > > Or is the new file's type copied from the directory and the
> > > sensitivity
> > > > copied from the subject?
> > > You are correct, the type is copied from the directory and the level is
> > > copied from the subject. It might also be worth mentioning that the type
> > > is copied from the directory as default behavior, which can be
> > > overridden with type_transition statements.
> > >
> > > > --Glenn
> > I've changed the first paragraph. How about:
> >
> > When files and directories are copied, they inherit the SELinux context 
> > of the parent directory they are copied to[1].
>
> Not exactly, no.  The security context of a new file is computed from a
> combination of the security context of the creating process and the
> security context of the parent directory, and may further be adjusted by
> policy rules.  The user identity and level are inherited from the
> creating process.  The role is always object_r presently.  The type is
> inherited from the parent directory unless there is a type transition
> rule in the policy for the (creating process domain, parent directory
> type, file object class) triple.  For example, when a process creates a
> file in /tmp, there is usually a type transition rule defined such that
> each domain gets its own private temporary file type.
>
> >  This helps ensure files 
> > and directories are labeled with the correct SELinux context after being 
> > copied. Also, when a file is copied over an existing file, the existing 
> > file's context is maintained.
>
> Unless the user specified options to cp to preserve the context of the
> original on the copy.
Thanks. How about:

When files and directories are copied, the SELinux context of the new 
file or directory depends on the context of the creating process, and 
the context of the target, parent directory: the type is inherited from 
the target, parent directory (unless a type transition rule exists[1]); 
the SELinux user identity and level are inherited from the creating 
process; and the role is always object_r, which is a generic role for 
files. This helps ensure files and directories are labeled with the 
correct SELinux context after being copied.

Also, when a file is copied over an existing file, the existing file's 
context is maintained, unless the user specified cp options to preserve 
the context of the original file, such as --preserve=context.

#Is the following required, or is it covered by the above:

On systems running the MLS policy, when files and directories are 
copied, they inherit the type from the parent directory they are being 
copied to, and the level from the process that copied them.

[1] By default, the type is copied from the parent directory. This 
behavior can be overridden by using type_transition statements in custom 
SELinux policies. Type transition rules are for a creating process 
domain, parent directory type, and file object class triple. For 
example, when a process creates a file in /tmp/, a type transition rule 
is usually defined so that each domain gets its own private, temporary 
file type.
> >  On systems running the MLS policy, when 
> > files are copied, they inherit the type from the parent directory they 
> > are being copied to, and the level from the process that copied them.
> >
> > Is the last sentence, is "the level from the process that copied them" 
> > correct? Should it be "from the process or user that..."?
> >
> > [1] By default, the type is copied from the parent directory. This 
> > behavior can be overridden by using type_transition statements in custom 
> > SELinux policies.
> >
> > I've included an example at the end of the section to show copying a 
> > file over an existing one.
> >
> > Thanks for your feedback.
> >
> > --
> > This message was distributed to subscribers of the selinux mailing list.
> > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> > the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.