On Wed, 2006-10-25 at 15:15 -0400, James Antill wrote: > On Wed, 2006-10-25 at 09:59 -0400, Stephen Smalley wrote: > > On Wed, 2006-10-25 at 09:50 -0400, James Antill wrote: > > > My understanding is that while security_check_context() allows it, the > > > setexeccon() will fail. Which seemed to be good enough. > > > > No, it won't. Suppose that I have two Linux users A and B, with A > > authorized for category c0 and B authorized for category c2 in seusers, > > but both A and B are mapped to SELinux user U who is authorized for all > > categories in the kernel policy. The login-style programs are naturally > > going to be authorized to transition to any of those contexts since they > > have to deal with user logins at any level, so the setexeccon() will > > succeed. The SELinux security context will have U as the user identity, > > so it will always be valid. You need an explicit check. > > Ok, I had assumed that "U" would always be different in this case.
BTW, using different SELinux user identities (U) was the approach before seusers came into being, but the point of seusers was to avoid having to rebuild the kernel policy every time you wanted to add, remove, or change a Linux user's authorized range. Thus, the per-Linux-user restriction is specified in seusers and enforced by the login-style programs (and then subsequently bounded for the session based on the high/clearance level). -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
