Re: [PATCH 2/2] selinux: add support for xperms in conditional policies

From: Christian Göttsche
Date: Wed Aug 21 2024 - 09:16:12 EST

Next message: Yazen Ghannam: "Re: [PATCH] x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h-70h"
Previous message: Ulf Hansson: "Re: [PATCH v4 3/7] dt-bindings: mmc: add property for partitions node in mmc-card node"
Next in thread: Stephen Smalley: "Re: [PATCH 2/2] selinux: add support for xperms in conditional policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Add support for extended permission rules in conditional policies.
> Currently the kernel accepts such rules already, but evaluating a
> security decision will hit a BUG() in
> services_compute_xperms_decision(). Thus reject extended permission
> rules in conditional policies for current policy versions.
>
> Add a new policy version for this feature.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> Userspace patches are available at:
> https://github.com/SELinuxProject/selinux/pull/432
>
> Maybe the policy version 34 can be reused for the prefix/suffix filetrans
> feature to avoid two new versions?

Kindly ping.

Any comments?

This affects (improves?) also the netlink xperm proposal.

Next message: Yazen Ghannam: "Re: [PATCH] x86/amd_nb: Add new PCI IDs for AMD family 1Ah model 60h-70h"
Previous message: Ulf Hansson: "Re: [PATCH v4 3/7] dt-bindings: mmc: add property for partitions node in mmc-card node"
Next in thread: Stephen Smalley: "Re: [PATCH 2/2] selinux: add support for xperms in conditional policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]