On 18.6.2021 6.50, Paul Moore wrote:
On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
Describe cases where nosuid_transition or nnp_transition are needed.
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
src/computing_security_contexts.md | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md
index bb946b5..7bd1d87 100644
--- a/src/computing_security_contexts.md
+++ b/src/computing_security_contexts.md
@@ -84,7 +84,14 @@ Processes inherit their security context as follows:
*default_type* (policy version 28) or if a security-aware process,
by calling ***setexeccon**(3)* if permitted by policy prior to
invoking exec.
-3. At any time, a security-aware process may invoke ***setcon**(3)* to
+3. If the file system is mounted with *nosuid* flag, type transitions
+ require permission *nosuid_transition*. If the thread has
+ *no_new_privs* attribute set, the transition requires
+ *nnp_transition*. For both transitions, policy capability
+ *nnp_nosuid_transition* is also required. See also
+ [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux)
+ section.
Thanks for adding this text, however I might suggest the following changes:
"If the loaded SELinux policy has the nnp_nosuid_transition policy
capability enabled there are potentially two additional permissions
that are required to permit a domain transition: nosuid_transition for
nosuid mounted filesystems, and nnp_transition for for threads with
the no_new_privs flag."
... does that make sense?
Yes. I'd then add:
"If nnp_nosuid_transition policy capability is disabled, such domain
transitions are denied."
-Topi
+4. At any time, a security-aware process may invoke ***setcon**(3)* to
switch its security context (if permitted by policy) although this
practice is generally discouraged - exec-based transitions are
preferred.
--
2.30.2