Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tcf-dev] Mandatory Access Control support in TCF

Eugene,

the reason is very simple.
Yes security is part of the target OS configuration, but TCF daemon is in charge to do the copy of file that you want to test and that copy on the target system. It is currently done with the default security attribute (label to be clearer) which is unlikely to be any good when you will try to launch (or use for data file) the newly installed executable that you want to test.

So we need to enable the support of changing the default security attributes after copying the file under test on the target. Furthermore as the host system running Eclipse is unlikely going to use the same security labels (or even model), we need to define a position where to store that information on the development host side (but that is a smaller issue).

Is it clearer ?

Dominig ar Foll
Senior Software Architect
Open Source Technology Centre
Intel SSG

Le 21/01/2016 19:30, Eugene Tarassov a écrit :
Hi Dominig,

Security, like SELinux, is implemented in the kernel and, normally, does not require any cooperation from user space software, like TCF. Could you explain why exactly TCF agent would want to be aware of Mandatory Access Control?

Thanks,
Eugene


-----Original Message-----
From: tcf-dev-bounces@xxxxxxxxxxx [mailto:tcf-dev-bounces@xxxxxxxxxxx] On Behalf Of Dominig ar Foll (Intel OTC)
Sent: Thursday, January 21, 2016 9:49 AM
To: tcf-dev@xxxxxxxxxxx
Subject: [tcf-dev] Mandatory Access Control support in TCF

Hello,

I am a new comer on this list and I am looking for the best solution to
add the support off some common security mechanisms to TCF.
I am hoping to get some advise from people who know that code well and
might have ideas on what would be the best implementation model.

I would like to start by a Mandatory Access Control such as SE Linux or
Smack, then I would like to look at and Integrity enforcement such as
IMA and container support.

The support of those type of security faciilities will require to extend
some services in particular the 'File System Service' and the 'Run
Control Service' to support the additional file extended attributes used
by MAC and the increased complexity of attaching ptrace to a service
running in a bespoke security context.

Obviously, we do not want to create patches but rather an extension
which can be configured to support various model of MAC (at least Smack
and SE Linux sto start with).

Thanks in advance for your help.

--
Dominig ar Foll
Senior Software Architect
Open Source Technology Centre
Intel SSG

_______________________________________________
tcf-dev mailing list
tcf-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tcf-dev


This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.

_______________________________________________
tcf-dev mailing list
tcf-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tcf-dev



Back to the top