Re: + smack-version-11c-simplified-mandatory-access-control-kernel.patch added to -mm tree
From: Kyle Moffett
Date: Mon Nov 26 2007 - 12:36:37 EST
On Nov 24, 2007, at 22:36:43, Crispin Cowan wrote:
Kyle Moffett wrote:
Actually, a fully-secured strict-mode SELinux system will have no
unconfined_t processes; none of my test systems have any.
Generally "unconfined_t" is used for situations similar to what
AppArmor was designed for, where the only "interesting" security
is that of the daemon (which is properly labelled) and one or more
of the users are unconfined.
Interesting. In a Targeted Policy, you do your policy
administration from unconfined_t. But how do you administer a
Strict Policy machine? I can think of 2 ways:
[snip]
* there is some type that is tighter than unconfined_t but none the
less has sufficient privilege to change policy
To me, this would be semantically equivalent to unconfined_t,
because any rogue code or user with this type could then fabricate
unconfined_t and do what they want
Well, in a strict SELinux system, someone who has been permitted the
"Security Administrator" role (secadm_r) and who has logged in
through a "login_t" process may modify and reload the policy. They
are also permitted to view all files up to their clearance, write
files below their level, and relabel files. On the other hand, they
do not have any system-administration privileges (those are reserve
for sysadm_r).
Under the default policy the security administrator may disable
SELinux completely, although that too can be adjusted as "load
policy" is yet another specialized permission.
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/