Jamie Nguyen
jamie****@tomoy*****
Mon May 2 01:01:02 JST 2011
Tetsuo Handa wrote: > Jamie Nguyen wrote: >> Just to make sure we understand each other, do I understand correctly >> that you want to remove "initialize_domain" directive and replace with >> "initialize_namespace"? Or do you intend them to exist together? > > I won't remove "initialize_domain" directive. > "initialize_domain" and "initialize_namespace" directives coexist. This was the root of my misunderstanding! I was falsely under the impression that you wanted to replace "initialize_domain", but since this is not the case, namespaces can indeed be ignored by users that don't need it. Great! > Sure. "auto_domain_transition=" is used as conditional ACL (case (g) below). > Currently 7 directives are defined. > > (a) initialize_domain /usr/sbin/httpd from any > > Jump to "<kernel> /usr/sbin/httpd" domain. > > (b) no_initialize_domain /bin/mail from any > > Don't jump to "<kernel> /usr/sbin/httpd" domain. > > (c) keep_domain any from <kernel> /usr/sbin/httpd /bin/bash > > Don't transit to child domain from "<kernel> /usr/sbin/httpd /bin/bash" domain. > > (d) no_keep_domain /usr/bin/passwd from any > > Transit to "current domain's name" + "/usr/bin/passwd" domain. > > (e) task manual_domain_transition <kernel> /usr/sbin/httpd //some/host > > Jump to "<kernel> /usr/sbin/httpd //some/host" domain by "echo <kernel> /usr/sbin/httpd //some/host > /proc/ccs/self_domain". > > (f) task auto_domain_transition <kernel> //lockdown task.uid=1000 > > Jump to "<kernel> //lockdown" domain when process's uid became 1000. > > (g) file read /foo auto_domain_transition="/foo" > > Jump to "current domain's name" + "/foo" domain when /foo is opened for reading. > > These directives work within the same namespace. > > I'm considering introducing 5 more directives in order to support namespaces. > > (h) initialize_namespace /usr/sbin/httpd from any > > Jump to "</usr/sbin/httpd>" domain. > > (i) no_initialize_namespace /usr/sbin/httpd from any > > Don't jump to "</usr/sbin/httpd>" domain. > > (j) task manual_namespace_transition apache > > Jump to "<apache>" domain by "echo apache > /proc/ccs/self_domain". > > (k) task auto_namespace_transition apache task.uid=48 > > Jump to "<apache>" domain when process's uid became 48. > > (l) file read /foo auto_namespace_transition="foo" > > Jump to "<foo>" domain when /foo is opened for reading. > > When namespace is added, (a) - (g) works with the current namespace. > For example, > > initialize_domain /bin/sh from any > > in <apache> namespace means > > Jump to "<apache> /bin/sh" domain when /bin/sh is executed. > > and > > initialize_domain /bin/sh from any > > in <sshd> namespace means > > Jump to "<sshd> /bin/sh" domain when /bin/sh is executed. All the changes look very good to me. I am guessing that you are proposing that each namespace will have it's own exception_policy.conf ?