On Thu, 2012-03-01 at 09:42 -0500, Daniel J Walsh wrote: > On 02/29/2012 04:34 PM, Stephen Smalley wrote: > > I don't think we want to introduce greater complexity and more > > possible failures causes into the mix for determining user > > contexts. Simplest option would be to change > > get_ordered_context_list() to return the empty list / fail in that > > case rather than return the full reachable list from > > security_compute_user. But I'd like to get rid of / replace > > security_compute_user with a solution that is mostly userspace, at > > most getting the user's authorized roles and default level > > information from selinuxfs but not asking the kernel to compute > > reachability. > > > > > Meaning we should read the contents of > /etc/selinux/TYPE/contexts/users/SELINUXUSER and get the types from > there that match the type of the login program. > If that file does not exist, then fall back to > /etc/selinux/TYPE/contexts/default_context and get the type from there. > > Then just check with the kernel if LOGINTYPE_T can transition to > USERTYPE_T and choose that context. Else go to the next context. If > no context is available to transition return failure. You can use security_check_context() to see if the context is valid (e.g. valid user:role pair) before performing a transition check. You'll have to decide how you want it to operate in permissive mode; the current security_compute_user() logic ignores permissive mode (via AVC_STRICT) and thus will return the same contexts you would get in enforcing mode. Otherwise permissive mode may lead to users logging in as sysadm_r rather than user_r if authorized for both. There is also the MLS aspect, which is more complex. See mls_setup_user_range() in the kernel. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
