Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSMsettings for task actions [try #2]

[Stephen Smalley]

On Wed, 2008-01-09 at 18:56 +0000, David Howells wrote:
> Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> 
> > Right, the latter is reasonable.
> > Requires adding the class and permission definition to
> > policy/flask/security_classes and policy/flask/access_vectors and then
> > regenerating the kernel headers from those files, ala:
> >   svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy
> >   cd refpolicy/policy/flask
> >   vi security_classes access_vectors
> >   <add new class to end>
> >   make
> >   make LINUX_D=/path/to/linux-2.6 tokern
> 
> Does this require rebuilding and updating all the SELinux rpms to know about
> the new class?

Policy ultimately has to be updated in order to start writing allow
rules based on the new class/perm.  libselinux et al doesn't have to
change.

If you have a "SELinux:  policy loaded with handle_unknown=allow"
message in your /var/log/messages, then new classes/perms that are not
yet known to the policy will be allowed by default, so the operation
will be permitted by the kernel.

-- 
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/