Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tcf-dev] Mandatory Access Control support in TCF 
Hi Dominig,

As I understand, you want a remote interface for managing security attributes. It would be best to keep such functionality decoupled from Run Control and File System and define a new service (e.g. Access Control Service). Ideally, such service would be completely independent from other services. Clients would use it to adjust security attributes when necessary.

Regards,
Eugene

-----Original Message-----
From: tcf-dev-bounces@xxxxxxxxxxx [mailto:tcf-dev-bounces@xxxxxxxxxxx] On Behalf Of Dominig ar Foll (Intel OTC)
Sent: Thursday, January 21, 2016 10:40 AM
To: tcf-dev@xxxxxxxxxxx
Subject: Re: [tcf-dev] Mandatory Access Control support in TCF

Eugene,

the reason is very simple.
Yes security is part of the target OS configuration, but TCF daemon is
in charge to do the copy of file that you want to test and that copy on
the target system. It is currently done with the default security
attribute (label to be clearer) which is unlikely to be any good when
you will try to launch (or use for data file) the newly installed
executable that you want to test.

So we need to enable the support of changing the default security
attributes after copying the file under test on the target.
Furthermore as the host system running Eclipse is unlikely going to use
the same security labels (or even model), we need to define a position
where to store that information on the development host side (but that
is a smaller issue).

Is it clearer ?

Dominig ar Foll
Senior Software Architect
Open Source Technology Centre
Intel SSG

Le 21/01/2016 19:30, Eugene Tarassov a écrit :
> Hi Dominig,
>
> Security, like SELinux, is implemented in the kernel and, normally, does not require any cooperation from user space software, like TCF. Could you explain why exactly TCF agent would want to be aware of Mandatory Access Control?
>
> Thanks,
> Eugene
>
>
> -----Original Message-----
> From: tcf-dev-bounces@xxxxxxxxxxx [mailto:tcf-dev-bounces@xxxxxxxxxxx] On Behalf Of Dominig ar Foll (Intel OTC)
> Sent: Thursday, January 21, 2016 9:49 AM
> To: tcf-dev@xxxxxxxxxxx
> Subject: [tcf-dev] Mandatory Access Control support in TCF
>
> Hello,
>
> I am a new comer on this list and I am looking for the best solution to
> add the support off some common security mechanisms to TCF.
> I am hoping to get some advise from people who know that code well and
> might have ideas on what would be the best implementation model.
>
> I would like to start by a Mandatory Access Control such as SE Linux or
> Smack, then I would like to look at and Integrity enforcement such as
> IMA and container support.
>
> The support of those type of security faciilities will require to extend
> some services in particular the 'File System Service' and the 'Run
> Control Service' to support the additional file extended attributes used
> by MAC and the increased complexity of attaching ptrace to a service
> running in a bespoke security context.
>
> Obviously, we do not want to create patches but rather an extension
> which can be configured to support various model of MAC (at least Smack
> and SE Linux sto start with).
>
> Thanks in advance for your help.
>
> --
> Dominig ar Foll
> Senior Software Architect
> Open Source Technology Centre
> Intel SSG
>
> _______________________________________________
> tcf-dev mailing list
> tcf-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/tcf-dev
>
>
> This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.
>
> _______________________________________________
> tcf-dev mailing list
> tcf-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://dev.eclipse.org/mailman/listinfo/tcf-dev

_______________________________________________
tcf-dev mailing list
tcf-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/tcf-dev


This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.

Back to the top