12.06.2020 23:44, Stephen Smalley пишет: > On Fri, Jun 12, 2020 at 4:05 PM Mikhail Novosyolov > <m.novosyolov@xxxxxxxxxxxx> wrote: >> >> Hello, >> >> Is it possible to remove any checks for RBAC (role-based access control) violations and check only against MLS/MCS rules? >> >> What I have: >> 1) a system with most files labelled correctly according to a Fedora-based SELinux policy, which in turn is based on the refpolicy; >> they will probably have to be kept to make what I want work >> 2) RBAC-based control from SELinux is not needed, e.g. it is not needed to prevent httpd from executing 3rd party binaries >> 3) MLS is needed, e.g. it is needed to verify that httpd cannot access "secret" documents >> >> If I understood correctly, main calculations are done in context_struct_compute_av() (security/selinux/ss/services.c), but it does not query MLS separately. >> Also, all actions are prohibited by default, the problem is that the policy specifies what to allow, but I would like to wise-a-versa specify what to deny, but keep MLS parts working as is. >> >> The question is: is it possible to make selinux ignore (2), either in the kernel or in policy? >> >> In other words, how to make SELinux make allow-or-deny decisions based on MLS/MCS only, without RBAC? >> The only question that must be answered is: does this action violate rules of accessing objects of different level of secrecy (sN:cM) or not. >> >> Please give a clue where to start looking for a solution. Thanks! > > The problem you would quickly run into is that you always need > exceptions in any MLS policy, e.g. files that need to be readable > and/or writable in violation of the normal MLS restrictions and > processes that need to be exempted from them. The way you do that in > SELinux is to use different TE types and domains and provide OR > clauses in the MLS constraints to exempt them. So I doubt you truly > want to disable RBAC/TE altogether. I am aware of this and that is why I want to keep existing types, domains and labels and not break those exceptions. What I want to change is make the kernel not dissallow access when RBAC/TE is violated, unless MLS rules are violated. > What you could do is to reduce > the policy to just the minimal set of domains and types needed to > support those distinctions and leave most things labeled with the same > domain/type. It would require reworking the whole policy and rewriting MLS exceptions... It is very near to writing a policy from scratch, I think. Patching the kernel to achieve this will be OK, but, after studying the code, it seems that the whole selinux was first designed to block access when RBAC/TE rules are violated, and then MLS was added there... So it is not obvious which part of the code would better be changed to achieve this aim, and how hard it will be to achieve it.
