[redhat-lspp] Re: Polyinstantiation based on context with MLS

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 13 20:19:15 UTC 2006 

On Wed, 2006-09-13 at 14:16 -0400, Rosalie Hiebel wrote:
> We're trying to understand the policy rules in relation to how 
> instance directories of polyinstantiated directories get created when 
> polyinstantiation is done by context.
> 
> My goal is to have a different instance directory created/mounted for 
> each different context in which an application is running when it 
> accesses this directory.  For example, if running in a context with 
> MLS level s1-s1, I would expect to see a different instance than when 
> running in that same context but whose MLS level is s2-s2.
> 
> The problem is that I cannot get a different instance set up in these 
> 2 cases;  whether running at s1 or s2, the instance directory has a 
> context with an MLS level of SystemLow-SystemHigh.  This is the MLS 
> range I had set up for the polyinstantiated dir (/var/poly) and the 
> directory which contains the instances (/var/poly/poly-inst).
> 
> I added an entry to /etc/security/namespace.conf which contained "context"
>    /var/poly   /var/poly/poly-inst context root,adm
> 
> My understanding was that the actual instance directory creation and 
> mounting for a process was done through the pam_namespace module. 
> Also, if my application called these pam session routines to set up 
> instance directories, it would have to first call setexeccon prior to 
> setting up a pam session.  (Otherwise, pam would override the 
> "context" setting in namespace.conf and create/mount an instance 
> based on user instead of context.)
> 
> To have instance directories actually created by context, I had my 
> test program obtain its current context, set the mls level in this 
> context to either "s1-s1" or "s2-s2", and then pass this context to 
> both setcon and setexeccon.  It then calls the pam routines 
> pam_start() and pam_open_session().  (I had set up a dummy "test" 
> service in /etc/pam.d, and I passed this service name to pam_start 
> along with a  "conversation" routine which simply returned 
> PAM_SUCCESS.)
> 
> When I ran my test program, I looked at /var/log/secure, and 
> pam_namespace indicated it had successfully set up and mounted the 
> instance directory.
> 
> It appears that pam_namespace calls security_compute_member to obtain 
> the context which it sets the newly created instance directory to 
> after creating it.  Does the policy decide this based on the 
> "type_member" rules ?  If this is the case, then this rule seems to 
> state only what the type is, and the remaining part of the context 
> seems to always be the context of my /var/poly directory.  If this is 
> true, then how can it ever achieve having a different instance based 
> on any component of the context (such as the MLS level) being 
> different ?

If there is a matching type_member rule (with a type that differs from
the base dir), then it should return a context with the new type and the
low level from the source context (which in this case would be the exec
context previously set).

As a side bar, it looks like there is an error in the build of the -mls
policy that is leaving the usual polyinstantiation-related rules
disabled (controlled by the POLY= build option).

If possible, you should consider decomposing your application and
running separate instances for the different levels to improve
separation and reduce the trust required in the application itself.

-- 
Stephen Smalley
National Security Agency

More information about the redhat-lspp mailing list