search

SELinuxProject / selinux-notebook

The SELinux Notebook
Other
546 stars 106 forks source link

Q: questions about security context computing? #24

Closed linux-gcc closed 1 year ago

linux-gcc commented 1 year ago

fs_use_task pipefs system_u:object_r:fs_t:s0 The type component defaults to the type of the target type if no matching type_transition rule was specified in the policy (policy version 28 allows a default_type of source or target to be defined)

What exactly does the target type described here mean? The above policy as an example, is it fs_t?

cgzones commented 1 year ago

In my interpretation https://github.com/SELinuxProject/selinux-notebook/blob/7eba84c76a68e8f284f5a33d3f0cd298655b6cbe/src/computing_security_contexts.md?plain=1#L171-L174

talks about the filesystem context (the one used for filesystem access checks, like mount, unmount, etc.).

https://github.com/SELinuxProject/selinux-notebook/blob/7eba84c76a68e8f284f5a33d3f0cd298655b6cbe/src/file_labeling_statements.md?plain=1#L119-L122 talks about the file objects on it.

linux-gcc commented 1 year ago

thanks! That is to say, for pseudo file systems, if there is no matching type_transition rule, the label of the pseudo file system uses the label of the creation process by default? For example, if a process mounts the tmpfs file system, the label of the tmpfs file system is the same as the process label? @cgzones

cgzones commented 1 year ago

The tmpfs filesystem is generally labeled via the fs_use_trans statement.

fs_use_trans is different from fs_use_task, the former uses as default context for new created objects the parent context of the object (e.g. system_u:object_r:tmpfs_t), while the latter uses the the context of the creating task (e.g. user_u:user_r:user_t).

label of the tmpfs file system is the same as the process label

There is a difference between the label of the filesystem and the label of objects on/in that filesystem. The label of the filesystem generally does not depend on the process mounting it.

pcmoore commented 1 year ago

This repo isn't intended for general SELinux questions, but regardless It looks like this question is resolved so I'm going to go ahead and close this issue. @linux-gcc if you have any further SELinux questions that are not specific to The SELinux Notebook, I suggest joining the SELinux developers mailing list, the link to subscribe is below: