Toshiharu Harada
harad****@nttda*****
Wed Aug 31 18:15:34 JST 2011
(2011/08/27 15:01), Tetsuo Handa wrote: > Toshiharu Harada wrote: >> I assume the new suggestions include several >> different purposes/advantages. What seems to be most >> important to you?>Tetsuo (Eliminating needs to synchronize the >> exception policy? I guess) Thanks a lot for the in depth information. Now things are much cleaner for me. > Advantage 1: > > <kernel> /usr/sbin/sshd > file execute /bin/bash<kernel> /usr/sbin/sshd //batch-session exec.argc=2 exec.argv[1]="-c" > file execute /bin/bash<kernel> /usr/sbin/sshd //root-session task.uid=0 > file execute /bin/bash<kernel> /usr/sbin/sshd //nonroot-session task.uid!=0 > > will allow transition to different domains based on conditions. > > Advantage 2: > > file execute /tmp/logrotate.\?\?\?\?\?\?<logrotate.tmp> > > will allow executing /tmp/logrotate.\?\?\?\?\?\? in<logrotate.tmp> domain > without defining "aggregator /tmp/logrotate.\?\?\?\?\?\? /tmp/logrotate.tmp". > > Advantage 3: > > If we use "aggregator" entry, it affects all domains in the same namespace. > It may not be always preferable when the "aggregator" matches many pathnames. > > For example, if we want to allow execution of /bin/\* other than /bin/su , > > aggregator /bin/\*\-su //bin-except-su > > <kernel> /usr/sbin/sshd /bin/bash > file execute //bin-except-su > > will allow it. But, within the same namespace, if we want to allow execution > of /bin/\* other than /bin/su and /bin/ping , > > aggregator /bin/\*\-su\-ping //bin-except-su-and-ping > > <kernel> /usr/sbin/sshd /bin/tcsh > file execute //bin-except-su-and-ping > > will allow it. However, if the order is > > aggregator /bin/\*\-su //bin-except-su > aggregator /bin/\*\-su\-ping //bin-except-su-and-ping > > /bin/ls from<kernel> /usr/sbin/sshd /bin/bash domain will succeed whereas > /bin/ls from<kernel> /usr/sbin/sshd /bin/tcsh domain will fail because > /bin/ls will match //bin-except-su . Likewise, if the order is > > aggregator /bin/\*\-su\-ping //bin-except-su-and-ping > aggregator /bin/\*\-su //bin-except-su > > /bin/ls from<kernel> /usr/sbin/sshd /bin/tcsh domain will succeed whereas > /bin/ls from<kernel> /usr/sbin/sshd /bin/bash domain will fail because > /bin/ls will match //bin-except-su bin-except-su-and-ping . > > If we use > > <kernel> /usr/sbin/sshd /bin/bash > file execute /bin/\*\-su<kernel> /usr/sbin/sshd /bin/bash //bin-except-su > > <kernel> /usr/sbin/sshd /bin/tcsh > file execute /bin/\*\-su\-ping<kernel> /usr/sbin/sshd /bin/tcsh //bin-except-su-and-ping > > both /bin/ls from<kernel> /usr/sbin/sshd /bin/tcsh domain and > /bin/ls from<kernel> /usr/sbin/sshd /bin/bash domain will succeed because > we don't need to use "aggregator". Advantages 1 and 2 look pretty intuitive and I liked them. And disadvantages mentioned in 3 appeared to be persuasive to me. > Advantage 4: > > Well, advantage 3 may be false because we have "path_group". > > path_group group_for_bash /bin/\*\-su > path_group group_for_tcsh /bin/\*\-su\-ping > > <kernel> /usr/sbin/sshd /bin/bash > file execute @group_for_bash > > <kernel> /usr/sbin/sshd /bin/tcsh > file execute @group_for_tcsh > > But > > <kernel> /usr/sbin/sshd /bin/bash > file execute @group_for_bash keep > > <kernel> /usr/sbin/sshd /bin/tcsh > file execute @group_for_tcsh keep > > will save us from writing > > no_initialize_domain /bin/\*\-su from<kernel> /usr/sbin/sshd /bin/bash > no_initialize_domain /bin/\*\-su\-ping from<kernel> /usr/sbin/sshd /bin/tcsh > no_reset_domain /bin/\*\-su from<kernel> /usr/sbin/sshd /bin/bash > no_reset_domain /bin/\*\-su\-ping from<kernel> /usr/sbin/sshd /bin/tcsh > delete no_keep_domain /bin/\*\-su from<kernel> /usr/sbin/sshd /bin/bash > delete no_keep_domain /bin/\*\-su\-ping from<kernel> /usr/sbin/sshd /bin/tcsh > keep_domain /bin/\*\-su from<kernel> /usr/sbin/sshd /bin/bash > keep_domain /bin/\*\-su\-ping from<kernel> /usr/sbin/sshd /bin/tcsh > > to exception policy. Looks just nice. :-) So, let me say, "I am convinced". Best regards, Toshiharu Harada
TOMOYO
Fork