Re: [RFC] packet/socket owner match (fireflier) using skfilter

From: Török Edwin
Date: Mon Apr 03 2006 - 11:40:58 EST

Next message: Trond Myklebust: "Re: NFS client (10x) performance regression 2.6.14.7 -> 2.6.15"
Previous message: Randy.Dunlap: "lkml traffic (was:: [PATCH] unify PFN_* macros)"
In reply to: James Morris: "Re: [RFC] packet/socket owner match (fireflier) using skfilter"
Next in thread: Stephen Smalley: "Re: [RFC] packet/socket owner match (fireflier) using skfilter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Monday 03 April 2006 18:18, James Morris wrote:
> On Sun, 2 Apr 2006, Török Edwin wrote:
> > Before continuing the work on it, I ask for your advice, and comments on
> > what I've done so far.
>
> I would suggest dropping your LSM stuff and just using SELinux. It's
> crazy to try and reinvent it.
I am not trying to reinvent SELinux. But I do not know how to accomplish what
I want with SELinux.

Here it is what I want:
- have security labels applied to sockets based on their owners (ok, I guess
SELinux does this by default)

- the security labels of processes be assigned based on their executable's
inode+mountpoint.
Is there a way to do auto-labeling with SELinux? I mean having a security
context applied based on the inode, without me having to run 'make relabel',
setfiles, and so on....
Let's say I compile&install a program. Can it have a security label
auto(magically) applied, based on the inode of its executable? (without
recompiling, & reloading the policy)

(From my very limited understanding of SELinux, this would mean creating a
context for each executable, that is altering the policy, if each executable
needs to have a separate context. Is it possible to dinamically generate the
context at runtime? Is it possible to integrate my autolabel.c with SELinux?)

It doesn't have to have a security label applied by its inode, but that is
unique, I don't know how secure would it be to identify processes by path...

If the above is possible, could you please provide pointers to documentation?

How can I implement auto-labeling with SELinux? (is there a possibility to
write some sort of plugins that provide this functionality?)

To sum up, I wrote my LSM stuff because I didn't know how to use SELinux to
accomplish what I wanted.
If it can be done with SELinux easily, I'm happy to switch to that. (easy from
the end-user's perspective, using fireflier for example. it doesn't matter
how much work it would imply to make fireflier handle the stuff "behind the
scenes")

Thanks in advance,
Edwin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Trond Myklebust: "Re: NFS client (10x) performance regression 2.6.14.7 -> 2.6.15"
Previous message: Randy.Dunlap: "lkml traffic (was:: [PATCH] unify PFN_* macros)"
In reply to: James Morris: "Re: [RFC] packet/socket owner match (fireflier) using skfilter"
Next in thread: Stephen Smalley: "Re: [RFC] packet/socket owner match (fireflier) using skfilter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]