On Fri, Jun 18, 2021 at 4:37 PM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > On 18.6.2021 22.32, Paul Moore wrote: > > On Fri, Jun 18, 2021 at 2:09 PM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > >> On 18.6.2021 6.50, Paul Moore wrote: > >>> On Sat, Jun 12, 2021 at 4:14 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > >>>> > >>>> Describe cases where nosuid_transition or nnp_transition are needed. > >>>> > >>>> Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> > >>>> --- > >>>> src/computing_security_contexts.md | 9 ++++++++- > >>>> 1 file changed, 8 insertions(+), 1 deletion(-) > >>>> > >>>> diff --git a/src/computing_security_contexts.md b/src/computing_security_contexts.md > >>>> index bb946b5..7bd1d87 100644 > >>>> --- a/src/computing_security_contexts.md > >>>> +++ b/src/computing_security_contexts.md > >>>> @@ -84,7 +84,14 @@ Processes inherit their security context as follows: > >>>> *default_type* (policy version 28) or if a security-aware process, > >>>> by calling ***setexeccon**(3)* if permitted by policy prior to > >>>> invoking exec. > >>>> -3. At any time, a security-aware process may invoke ***setcon**(3)* to > >>>> +3. If the file system is mounted with *nosuid* flag, type transitions > >>>> + require permission *nosuid_transition*. If the thread has > >>>> + *no_new_privs* attribute set, the transition requires > >>>> + *nnp_transition*. For both transitions, policy capability > >>>> + *nnp_nosuid_transition* is also required. See also > >>>> + [**Linux Security Module and SELinux**](lsm_selinux.md#linux-security-module-and-selinux) > >>>> + section. > >>> > >>> Thanks for adding this text, however I might suggest the following changes: > >>> > >>> "If the loaded SELinux policy has the nnp_nosuid_transition policy > >>> capability enabled there are potentially two additional permissions > >>> that are required to permit a domain transition: nosuid_transition for > >>> nosuid mounted filesystems, and nnp_transition for for threads with > >>> the no_new_privs flag." > >>> > >>> ... does that make sense? > >> > >> Yes. I'd then add: > >> > >> "If nnp_nosuid_transition policy capability is disabled, such domain > >> transitions are denied." > > > > In most cases, yes that is correct, but bounded domain transitions are > > still allowed in the case where the nnp_nosuid_transition policy > > capability is not enabled. > > I see. May I propose then: > > "If nnp_nosuid_transition policy capability is disabled, such domain > transitions are denied but bounded domain transitions are still allowed. > In bounded transitions, target domain is only allowed a subset of the > permissions of the source domain." That sounds good to me. -- paul moore www.paul-moore.com
