Tetsuo Handa
from-****@I-lov*****
Mon May 2 00:11:16 JST 2011
Jamie Nguyen wrote: > Just to make sure we understand each other, do I understand correctly > that you want to remove "initialize_domain" directive and replace with > "initialize_namespace"? Or do you intend them to exist together? I won't remove "initialize_domain" directive. "initialize_domain" and "initialize_namespace" directives coexist. > Sorry, I'm not sure I understand completely. You posted this question earlier: > > > If we want to use different keywords (like 'auto_namespace_transition="httpd"' > > and 'task auto_namespace_transition apache' ) for easier understanding, > > I can do so. > > This was the first time I saw that you introduced these directives. > Are you saying that these directives are optional, and we could > implement without them? > These directives will not be used by users who can satisfy their needs within only <kernel> namespacce. > Could you also explain the difference between > "auto_domain_transition=<httpd>" and "task auto_domain_transition > <httpd>". I am familiar with "task ....." but not the other. Sure. "auto_domain_transition=" is used as conditional ACL (case (g) below). Currently 7 directives are defined. (a) initialize_domain /usr/sbin/httpd from any Jump to "<kernel> /usr/sbin/httpd" domain. (b) no_initialize_domain /bin/mail from any Don't jump to "<kernel> /usr/sbin/httpd" domain. (c) keep_domain any from <kernel> /usr/sbin/httpd /bin/bash Don't transit to child domain from "<kernel> /usr/sbin/httpd /bin/bash" domain. (d) no_keep_domain /usr/bin/passwd from any Transit to "current domain's name" + "/usr/bin/passwd" domain. (e) task manual_domain_transition <kernel> /usr/sbin/httpd //some/host Jump to "<kernel> /usr/sbin/httpd //some/host" domain by "echo <kernel> /usr/sbin/httpd //some/host > /proc/ccs/self_domain". (f) task auto_domain_transition <kernel> //lockdown task.uid=1000 Jump to "<kernel> //lockdown" domain when process's uid became 1000. (g) file read /foo auto_domain_transition="/foo" Jump to "current domain's name" + "/foo" domain when /foo is opened for reading. These directives work within the same namespace. I'm considering introducing 5 more directives in order to support namespaces. (h) initialize_namespace /usr/sbin/httpd from any Jump to "</usr/sbin/httpd>" domain. (i) no_initialize_namespace /usr/sbin/httpd from any Don't jump to "</usr/sbin/httpd>" domain. (j) task manual_namespace_transition apache Jump to "<apache>" domain by "echo apache > /proc/ccs/self_domain". (k) task auto_namespace_transition apache task.uid=48 Jump to "<apache>" domain when process's uid became 48. (l) file read /foo auto_namespace_transition="foo" Jump to "<foo>" domain when /foo is opened for reading. When namespace is added, (a) - (g) works with the current namespace. For example, initialize_domain /bin/sh from any in <apache> namespace means Jump to "<apache> /bin/sh" domain when /bin/sh is executed. and initialize_domain /bin/sh from any in <sshd> namespace means Jump to "<sshd> /bin/sh" domain when /bin/sh is executed. .