[systemd-devel] [PATCH] Add SELinuxContext configuration item

Michael Scherer misc at zarb.org
Fri Jan 3 02:56:47 PST 2014


Le vendredi 03 janvier 2014 à 00:58 +0000, "Jóhann B. Guðmundsson" a
écrit :
> On 12/28/2013 01:30 PM, Lennart Poettering wrote:
> > On Fri, 27.12.13 23:26,misc at zarb.org  (misc at zarb.org) wrote:
> >
> >> >From: Michael Scherer<misc at zarb.org>
> >> >
> >> >This permit to let system administrators decide of the domain of a service.
> >> >This can be used with templated units to have each service in a différent
> >> >domain ( for example, a per customer database, using MLS or anything ),
> >> >or can be used to force a non selinux enabled system (jvm, erlang, etc)
> >> >to start in a different domain for each service.
> > Hmm, so far (as I understood it) the SELinux guys always wanted to make
> > sure that label configuration stays in the the selinux database and
> > nowhere else.
> 
> Right and if you add this you need to add something for the other 
> security solutions as well ( apparmor etc ).

I do not see why we need to equally support all MAC frameworks for each
change we do. And while I am familiar enough with apparmor to create a
equivalent setting ( and plan to do ), I have no idea on how to
translate the concept for smack, ima and tomoyo. 

In fact, the mere fact that tomoyo is not handled at all already show
that we do treat all security framework as equal.

> This introduces yet another place for administrators to look at while 
> debugging problems so the question to ask here is.
> 
> Is adding this ability to unit files the right way to solve what's 
> trying to be solved here?

As Dan said, yes. 

Usually, the type of transition from 1 domain to another is done at the
kernel level based on the label of the file executed. See
https://wiki.gentoo.org/wiki/SELinux/Tutorials/How_does_a_process_get_into_a_certain_context 
and http://danwalsh.livejournal.com/23944.html 

However, as said, there is some case where the approach of making the
transition based on the executed filename is not sufficient. For
example, the erlang vm, the jvm, etc, because each software will run in
the same domain, in different processes, because that's always the same
jvm being used. See the bug I mentioned before. 

Now, if you have a more precise feedback and/or a better proposal, I am
ready to hear of it, but the only alternative I see is to make the JVM,
erlang, etc, to be SELinux aware. That's a much bigger task, and I am
not sure that's worth the code duplication ( not to mention that it make
sysadmin look in several different places ). And the design I was
thinking of ( ie, replicated the current system of doing transition
based on file label ) would requires reimplementing the kernel code in
userspace, in libselinux, and I would rather avoid this for various
reasons ( security, code duplication avoidance ).

Another solution would be to create shell wrapper for every java, erlang
and mono software, and then use process transition on the shell wrapper,
but that doesn't scale that well and do not offer the flexibility of the
current patch to the sysadmin. ( and would likely be Fedora specific as
well ).

-- 
Michael Scherer



More information about the systemd-devel mailing list