Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Yuichi Nakamura]

Hi,it is my first post to the LSM list.

"Serge E. Hallyn" wrote:
> Have you ever tried, at 4pm some afternoon, sitting in a room with 
> somepaper and implementing the AA user interface on top of selinux?
We've implemented AppArmor like configuration on top of SELinux.
SELinux Policy Editor(http://seedit.sourceforge.net/) does this.
In its current development version(not released yet, only in CVS), 
Configuration for httpd is like below.

#####
{
domain httpd_t;
program /usr/sbin/httpd;
include common-relaxed.sp;
include daemon.sp;
include nameservice.sp;
allow /etc s;
allow /etc/httpd/** r,s;
allow /var/log/httpd/** r,a,s;
allow /var/www/** r,s;
allow /var s;
allow /var/run/** s;
allow /etc/php.d/** r,s;
allow /etc/php.ini r,s;
allow /etc/mime.types r,s;
allow /etc/pki/** r,s;
allownet -protocol tcp -port 80,443 server;
}
#####
Above is converted into SELinux Policy language.
Types, allow rules,domain transision rules are generated.
It works, and can also restrict IPC and privilege other than POSIX
capability(because it is based on SELinux).

However, path-name based configuration can not be achieved on SELinux in
following cases.
1) Files on file system that does not support xattr(such as sysfs)
   SELinux policy editor handles all files as same on such file systems.
2) Files that are dynamically created/deleted(inode number is not fixed).
   Example is files on /tmp and /etc/mtab. SELinux Policy Editor is
using file type transition to configure access control for them.


--
---
Yuichi Nakamura
Japan SELinux Users Group(JSELUG)
SELinux Policy Editor:  http://seedit.sourceforge.net/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/