Re: [patch 2/3] lsm: add bsdjail module

From: Chris Wright
Date: Tue Oct 12 2004 - 20:15:47 EST

Next message: Valdis . Kletnieks: "Re: 2.6.9-rc4-mm1-VP-T7 - horrid death in vortex_init at boot"
Previous message: Ulrich Drepper: "Re: [patch 2/3] lsm: add bsdjail module"
In reply to: Stephen Smalley: "Re: [patch 2/3] lsm: add bsdjail module"
Next in thread: Stephen Smalley: "Re: [patch 2/3] lsm: add bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Ulrich Drepper (drepper@xxxxxxxxxx) wrote:
> Serge E. Hallyn wrote:
> > +If a private IP was specified for the jail, then
> > + cat /proc/$$/attr/current
>
> How is this going to interact with SELinux?

Poorly. It's not expected to work with SELinux. There's no good
stacking yet.

> Currently SELinux uses
> /proc/*/attr/current to report the current security context of the
> process. libselinux expects the file to contain one string (not even a
> newline) which is the textual representation of the context. Now with
> your changes you want to change this. libselinux as-is would break
> miserably.

Maybe libselinux should not look around in there unless SELinux is
enabled in kernel.

> I don't know the history of the file and who is hijacking the file.
> Fact is that the file content is currently unstructured and libselinux
> couldn't possibly determine what part is of interest to itself.
>
> So, either you use another file, SELinux uses another file, or the file
> gets tagged lines like
>
> selinux: user_u:user_r:user_t

Yeah, that's workable. Other options would probably look like putting
stuff in module specific locations, which is more painful.

> I guess you couldn't even start the userlevel code in FC3 in such a jail
> in the moment since the libselinux startup tests would fail.

Userspace won't start in a jail, and once it's up, jailing works (on
rawhide for example). Admittedly, the label looks a bit funny.

# in jail
$ ps -eM
LABEL PID TTY TIME CMD
No 16933 ? 00:00:00 bash
No 17010 ? 00:00:00 ps

# unconfined
$ ps -eM
<snip>
Not 5714 pts/5 00:00:00 ssh
Not 12027 pts/6 00:00:00 bash
Not 12046 pts/6 00:00:00 vim
Not 16823 pts/4 00:00:00 vim
Not 16911 pts/8 00:00:00 bash
Root: 16933 pts/7 00:00:00 bash
Not 17016 pts/8 00:00:00 ps

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Valdis . Kletnieks: "Re: 2.6.9-rc4-mm1-VP-T7 - horrid death in vortex_init at boot"
Previous message: Ulrich Drepper: "Re: [patch 2/3] lsm: add bsdjail module"
In reply to: Stephen Smalley: "Re: [patch 2/3] lsm: add bsdjail module"
Next in thread: Stephen Smalley: "Re: [patch 2/3] lsm: add bsdjail module"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]