On Tue, Sep 04, 2012 at 10:02:34AM -0400, Stephen Smalley wrote: > On Mon, 2012-09-03 at 19:59 +0200, Ole Kliemann wrote: > > 01: ( t1 != is_mcsconstrained ) > > 02: or ( t2 != is_mcsconstrained ) > > Not sure if you are using TE to prevent this, but one possible concern > with using the same invariant for source (t1) and target (t2) is with > respect to process ptrace, transition, and dyntransition permissions. > You want to ensure that a MCS constrained process cannot ptrace or > transition to a MCS-unconstrained domain. Yes, that's prevented by TE and asserted by neverallow. > > 03: or ( > > 04: ( l1 domby h1 ) > > 05: and ( l2 domby h2 ) > > The kernel (mls_context_isvalid() in security/selinux/ss/mls.c) > guarantees these invariants for all security contexts.cd This one I saw coming. > > > 06: and ( h1 dom h2 ) > > 07: and ( h1 dom l2 ) > > Redundant. This one I totally missed. Under the premise of 04 and 05, the source high range always dominates the target low range if it already dominates the target high range -- it's transitive after all. > > > 08: and ( l1 domby l2 ) > > 09: ) Thanks for having a look! Ole
Attachment:
signature.asc
Description: Digital signature
