On Mon, 2009-11-30 at 22:53 -0500, Jacques Thomas wrote: > KaiGai Kohei wrote: > >>>> I also think we have one other a rough option. > >>>> It simply applies type boundaries on only sources to restrict its privileges, > >>>> and it does not apply any restrictions on target types. > >>>> > >>>> > >>>> > >>> Unless there is a clear use for bounds on targets, I would favor this > >>> option. (The "rough" one :-) ) > >>> I see mostly room for confusion with the bounds on target types, because > >>> of the contravariance issue. > >>> > >>> > >> I can write and submit a patch along these lines. The patch is > >> straightforward: I just have to remove the "dead" code. > >> > > > > Note that libsepol has an option which test type-boundary violations > > in usermode just before policy load. > > Also check check_avtab_hierarchy_callback() in libsepol/src/hierarchy.c. > > (It is called when ) > > > > Historically, this code delivered from hierarchy namespace support by > > Joshua Brindle. I'd like to ask him what about this change. > > > > MEMO: The hierarchy namespace support implicitly set up type-boundary > > on a couple of types. For example, if we defined httpd_t.cgi type, > > it is implicitly bounded by httpd_t type without TYPEBOUNDS. > > > > I also have not seen any case example which restrict target types by > > the hierarchy namespace support. So, it seems to me we have no matter > > to remove the "dead" code. > > > > Joshua, what's your opinion? > > > > > > > >> However, could someone please indicate me how I am supposed to test the > >> patch ? In other words, is there a standardized testing procedure that I > >> am unaware of ? > >> > > > > http://ltp.sourceforge.net/ > > > > It also contains SELinux testcases including type boundary, but it also > > does not contains a case of type boundary on target types. > > Where does this stand? IIUC, we are going to just remove the dead code from type_attribute_bounds_av() in the kernel and check_avtab_hierarchy_callback() in libsepol? With regard to the ltp, note that the last version of the ltp with a working selinux testsuite was ltp-full-20090930. I am still trying to work with the ltp maintainers to fix it in cvs head, but that is still work in progress. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
