SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2] This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: David Howells <dhowells_at_redhat.com> Date: Wed, 09 Jan 2008 16:51:24 +0000 Okay. I can: (1) Have cachefilesd (the daemon) pass a security context string to the cachefiles kernel module, which can then convert it to a secID. It'll require a security_secctx_to_secid() function, but I'm fairly certain I have a patch to add such kicking around somewhere. (2) Make security_task_kernel_act_as() take a task_security struct and a secID and just assign the latter to the former. I'm not sure it makes sense to do any checks here, other than checking that under SELinux the secID is of SECCLASS_PROCESS class. However, I need to write a check that the cachefilesd daemon is permitted to nominate the secID it did. Can someone tell me how to do this? The obvious way to do this is to add another PROCESS__xxx security permit specifically for cachefiles, but that seems like a waste of a bit when there are only two spare bits. avc_has_perm(daemon_tsec->sid, nominated_sid, SECCLASS_PROCESS, PROCESS__CACHEFILES_USE, NULL); Now, I recall the addition of another security class being mentioned, which presumably would give something like: avc_has_perm(daemon_tsec->sid, nominated_sid, SECCLASS_CACHE, CACHE__USE_AS_OVERRIDE, NULL); And I assume this doesn't care if one, the other or both of the two SIDs mentioned are of SECCLASS_PROCESS rather than of SECCLASS_CACHE. David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 9 Jan 2008 - 11:51:38 EST This message: [ Message body ] Next message: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Previous message: Daniel J Walsh: "Re: In the midst of doing a conversion of audit2why to python" In reply to: Stephen Smalley: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Next in thread: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Reply: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Reply: Stephen Smalley: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom