Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSMsettings for task actions [try #2]
From: Stephen Smalley
Date: Wed Jan 09 2008 - 14:20:18 EST
On Wed, 2008-01-09 at 18:56 +0000, David Howells wrote:
> Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>
> > Right, the latter is reasonable.
> > Requires adding the class and permission definition to
> > policy/flask/security_classes and policy/flask/access_vectors and then
> > regenerating the kernel headers from those files, ala:
> > svn co http://oss.tresys.com/repos/refpolicy/trunk refpolicy
> > cd refpolicy/policy/flask
> > vi security_classes access_vectors
> > <add new class to end>
> > make
> > make LINUX_D=/path/to/linux-2.6 tokern
>
> Does this require rebuilding and updating all the SELinux rpms to know about
> the new class?
Policy ultimately has to be updated in order to start writing allow
rules based on the new class/perm. libselinux et al doesn't have to
change.
If you have a "SELinux: policy loaded with handle_unknown=allow"
message in your /var/log/messages, then new classes/perms that are not
yet known to the policy will be allowed by default, so the operation
will be permitted by the kernel.
--
Stephen Smalley
National Security Agency
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/