SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2] This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: David Howells <dhowells_at_redhat.com> Date: Thu, 13 Dec 2007 18:04:04 +0000 Stephen Smalley <sds@tycho.nsa.gov> wrote: > Do any of the interfaces allow a task to act on a cache other than one > it has created? No. > How does the task identify the desired cache? Each file descriptor opened creates one separate cache instance. Any commands sent over that filedescriptor affect only the cache instance it is attached to; similarly, any status data you read only refers to that one cache instance. Closing the file descriptor makes the cache go away as far as the kernel is concerned. The cachefiles daemon retains its cache dev file descriptor for the lifetime of the daemon. > What if there is a conflict between multiple tasks asking for the same > cache? As far as the cache daemon is concerned, the file descriptor is its handle to the cache so the conflict does not arise. > secid is being applied as the acting context for the cachefiles kernel > module, so the above makes sense, even though there isn't really any > "object" in view here. Abstractly, the question we are asking above is: > > Can this task set the context of the cachefiles kernel module to this > value? So the following (taken from cachefilesd.te): allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink }; says, for example, allow: avc_has_perm("cachefilesd_t", "cachefiles_var_t", SECCLASS_FILE, FILE__RENAME, ...); David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 13 Dec 2007 - 13:06:26 EST This message: [ Message body ] Next message: Reed, Tim \(US SSA\): "RE: newrole in the background" Previous message: Stephen Smalley: "RE: newrole in the background" In reply to: Stephen Smalley: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Next in thread: Casey Schaufler: "Re: [PATCH 08/28] SECURITY: Allow kernel services to override LSM settings for task actions [try #2]" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom