Re: Suggestion on fixing a old libselinux problem.

On Thu, 2012-03-01 at 09:42 -0500, Daniel J Walsh wrote:
> On 02/29/2012 04:34 PM, Stephen Smalley wrote:
> > I don't think we want to introduce greater complexity and more
> > possible failures causes into the mix for determining user
> > contexts.  Simplest option would be to change
> > get_ordered_context_list() to return the empty list / fail in that
> > case rather than return the full reachable list from 
> > security_compute_user.  But I'd like to get rid of / replace 
> > security_compute_user with a solution that is mostly userspace, at
> > most getting the user's authorized roles and default level
> > information from selinuxfs but not asking the kernel to compute
> > reachability.
> > 
> 
> 
> Meaning we should read the contents of
> /etc/selinux/TYPE/contexts/users/SELINUXUSER and get the types from
> there that match the type of the login program.
> If that file does not exist, then fall back to
> /etc/selinux/TYPE/contexts/default_context and get the type from there.
> 
> Then just check with the kernel if LOGINTYPE_T can transition to
> USERTYPE_T and choose that context. Else go to the next context.  If
> no context is available to transition return failure.

You can use security_check_context() to see if the context is valid
(e.g. valid user:role pair) before performing a transition check.
You'll have to decide how you want it to operate in permissive mode; the
current security_compute_user() logic ignores permissive mode (via
AVC_STRICT) and thus will return the same contexts you would get in
enforcing mode.  Otherwise permissive mode may lead to users logging in
as sysadm_r rather than user_r if authorized for both.

There is also the MLS aspect, which is more complex. See
mls_setup_user_range() in the kernel.

--

-- 
Stephen Smalley
National Security Agency