On Sat, 6 Feb 2010, Guillem Jover <[email protected]> wrote:
> Ok, so this is my basic understanding of how SE Linux works here (my
> terminology might not be accurate), please correct were appropriate.
> AFAICS there's at least two ways to apply a context to a file, one is
> to set the current file system context for new created objects (via
> setfscreatecon) and the other is to explicitly set the context for an
> existing file (via setfilecon and friends). Letting a file with the
> default context should not reduce the security, it might just not allow
> others to access it.

If you don't do anything special then the default context for the created file 
will be based on the context of the directory that it is created in.  The 
default if there is no specific policy is for the type to match the type of 
the directory.  There can be special policy saying "when a process of domain 
X creates a file in directory type Y then use type Z".

In addition a process can request that a certain context be used for creating 
a file, the policy can deny such a request or deny it based on the type of 
object being created.

After a filesystem object is created it can be relabeled.

Leaving a file with a default context can mean that SUID type functionality is 
not applied, this can mean that privileges are not dropped.

> Are the SE Linux file contexts handled like normal file attributes,
> that get propagated with rename(2) and only get reset on unlink(2) or
> with an explicit SE Linux call? Or are they handled differently and
> do get reset on rename(2) (I thought SE Linux was not path based)?

rename(2) and link(2) make no difference to the label.  unlink(2) doesn't 
change it either.  Access checks are performed on open handles to unlinked 
files - when a process calls exec() file handles may be closed by SE Linux 
because the process transitioned to a new domain and is no longer granted 
access to the file (or isn't permitted to inherit the file handle).

fsetfilecon(3) may be called on an unlinked file, as access controls in SE 
Linux are performed on all accesses if an unlinked file has it's context 
changed then processes that are accessing it may suddenly get their access 
denied with EPERM.

> (Or I guess in other words are they associated to the inode or the
> dentry?)

It's always been the Inode.  There is no other sane way to do it.

> If it's the former then yes the extra setfscreatecon() at the end of
> tarobject() does not seem to make sense, if it's the latter we have
> an additional problem, as if tarobject gets interrupted and then it
> tries to restore the .dpkg-tmp backup then the context will be wrong
> for that one as rename(2) would reset the context.

rename(2) does not affect the context.

-- 
[email protected]
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to