SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RFC: Per-object manager controls in /selinux/config This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Eamon Walsh <ewalsh_at_tycho.nsa.gov> Date: Wed, 19 Dec 2007 18:29:11 -0500 I am proposing adding a separate config line for each userspace object manager, as follows: # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing + +# SELINUX_MANAGER= can take one of these four values +# enforcing - SELinux security policy is enforced by this object manager. +# permissive - The object manager prints warnings instead of enforcing. +# disabled - SELinux is fully disabled by this object manager. +# default - The object manager will track the system setting. +SELINUX_DBUS=default +SELINUX_XSERVER=permissive + # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. However, I am a little unclear on how runtime setenforce calls should be dealt with. The way it currently works is if the userspace object manager is initialized without an enforcing mode specified in the call to avc_open(), it will track the system setting and conform to netlink "setenforce" messages. However, if avc_open() is called with an enforcing mode specified, it will stay in that mode and not respond to the netlink messages. Users might thus be confused if they issue a "setenforce 0" and the X server stays in enforcing mode because it was specified that way in the config file. But I'm of the opinion that runtime setenforcing is an abnormal event, and anyone who edits the config file away from "default" and then runs setenforce will understand how it works. -- Eamon Walsh <ewalsh@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 19 Dec 2007 - 18:29:17 EST This message: [ Message body ] Next message: David Howells: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Previous message: Martin Orr: "Re: Xorg modprobe denials" Next in thread: KaiGai Kohei: "Re: RFC: Per-object manager controls in /selinux/config" Reply: KaiGai Kohei: "Re: RFC: Per-object manager controls in /selinux/config" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom