[redhat-lspp] dev_allocator, udev and import/export requirements

Thu Sep 8 14:08:27 UTC 2005

On Wed, 2005-09-07 at 17:34 -0400, Janak Desai wrote:
> udev, and selinux enhancements to it, allow assignment of security
> attributes to device nodes based on policy (/etc/selinux/*/contexts
> /files). TCS dev_allocator allows allocation and deallocation of
> "user accessible" devices. dev_allocator maintains its own
> configuration file with sensitivity label ranges (among other
> attributes) for different devices. What I am confused about is how
> does dev_allocator work with udev? That is, if udev assigns a
> security context to a device as its /dev entry is created,
> does the label range of the device have any interaction/relation
> with its dev_allocator entry?

It appears to me (but I don't really know) that the expected behavior is
that udev and file_contexts will just assign an inaccessible security
context (based on its TE type, with its level essentially irrelevant) to
the devices managed dynamically via dev_allocator.  For such devices,
dev_allocator is entirely responsible for synchronization of access,
authorization of access (although it does apply permission checks using
the userspace AVC, which ultimately gets its decisions from the kernel
policy), and assignment of an accessible security context to the device
node while it is allocated based on the context of the allocating
process.  This is only for devices that are dynamically assigned to
different users, like the cdrom.  Seems somewhat similar to
pam_console's handling of removable devices except that
allocation/unallocation is explicit rather than automatic and can occur
within a session rather than only at session creation time.

> The dev_allocator patch implements creation and maintenance
> of device attributes in dev_allocator.conf file. Who uses
> these device records? Are there patches to CUPS, login, star,
> etc that enforce the sensitivity label ranges stored in
> the dev_allocator.conf file? Am I totally off on the use
> of dev_allocator?

Aside from the initial assignment of a context to these devices by
dev_allocator, everything else would just use the context on the device
node that was previously set by dev_allocator, I assume.  Not the config
file.

> LSPP requires that the TOE contain a mechanism by which an
> admin can assign security attributes to devices (single level
> or a range in case of multi-level). These attributes are
> then used in the enforcement of MAC policy when users/programs
> use these devices. I am trying to get a handle on what we
> have to patch in order to satisfy LSPP import/export
> requirements with respect to terminals, printers and removable
> devices.

The device node context provides the basis for enforcement when programs
attempt to access the device. 

-- 
Stephen Smalley
National Security Agency