On Sat, Oct 16, 2004 at 09:56:41AM -0400, Alex Ackerman wrote:
> capabilities of SELinux; i.e., making sure that SELinux functions as
> advertised when dealing with events of escalating privilege.
just a comment [other than privilege means private law]:
as i understand it, there is no "escalation" present in SE/Linux,
only that assigned in the minds of us humans.
a good analogy for the way that SE/Linux works is door-cards and
guards.
outside a building, you are given a door-card by a guard: depending
on whether you are on a list, your door-card will now give you
access a) to an entry point into the building b) the right to go
through certain doors inside that building.
at _some_ doors inside the building, there will be another guard.
if you attempt to go through a door (assuming your card allows you to
do that), the guard will, depending on whether you are on a list, TAKE
AWAY your present card and GIVE YOU A TOTALLY DIFFERENT ONE.
that card might, or might not, give you the right to go back through
the door you have just gone through (!).
so, you can enter the university building, use your card to get into
the lecture theatre, but your card is taken away from you when you
enter the lecture theatre, and the card you are given only allows you
to go to the toilet or to the exit out the building.
in this "world", there is no "escalation" as such.
certain rooms are only allowed to be accessed by certain people who have
certain cards: you can only get to a certain place via a specific route
if you are the right person.
that's a bit different from "escalating privilege" because that implies
hierarchy, which SE/Linux doesn't have, per-se.
l.
p.s. if this analogy sounds a bit weird, to help you tie it into selinux,
the guards swapping cards at doors is managed by "domain_auto_trans".
|
