[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Defining new access vectors & security classes in policy modules ?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> wrote:
>> I'm working on adding fine grained access control to libvirt and
>> need to define a bunch of new object classes & their
>> corresponding access vectors.
>> 
>> For the sake of simplifying my developement / testing cycle, I'm
>> wondering if it is possible to define access vectors / security
>> classes in the individual policy module files, rather than in the
>> top level global flash/{access_vectors,security_classes} file,
>> which would require me to rebuild the entire policy for every
>> change I make.
I don't this is supported.  IE Putting these into a module will not work.
> 
> Also, I see the 'security_deny_unknown()' method call tell you
> whether the kernel policy wants unknown object classes/access
> vectors to be treated as a denial or not. Is it possible to toggle
> the allow/deny behaviour with a runtime tunable as we setenforce,
> or is it hardcoded in the policy ?
> 
> Regards, Daniel
I don't think you can toggle this.  It might be possible to put
something into semanage to turn on and off this flag but currently
this is a base policy issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc
ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io=
=7TUW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net