SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: Where to specific the handling of unknown kernel classes and perms This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Thu, 03 May 2007 08:46:34 -0400 On Wed, 2007-05-02 at 20:46 -0400, Joshua Brindle wrote: > Eric Paris wrote: > > I just sent out a kernel patch with the tristate flag to change kernel > > handling of unknown classes and permissions. The idea is that when the > > policy is created someone can set the flag to any of the three options > > (deny/reject/allow) and the kernel will act accordingly. My problem is > > I don't understand the userspace tools which create policy. I patched > > libsepol to support this new flag when it reads or writes a policydb, > > which allows me to edit my policy.21 by hand in hex and then call > > load_policy to test my kernel. My problem now is that I don't know > > where a user should be specifying how they want the flags to be set. To > > be perfectly honest after a bit of searching I'm not even sure where > > policy.21 gets created when I build a policy. > > > > > It should be setable in semanage.conf or by checkpolicy if building a > monolithic policy. Hmm...actually, I would have argued that it should only be settable by checkpolicy/checkmodule, and always inherited from the base module in the link/expand case. That way we can always know what the kernel behavior is by looking at the base module, vs. having to separately look at semanage.conf. It is a tradeoff though in terms of analyzability vs. ease of customization. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 3 May 2007 - 08:46:36 EDT This message: [ Message body ] Next message: Stephen Smalley: "Re: [RFC] Ability to allow unknown class and permissions -v4" Previous message: Karl MacMillan: "Re: Where to specific the handling of unknown kernel classes and perms" In reply to: Joshua Brindle: "Re: Where to specific the handling of unknown kernel classes and perms" Next in thread: Joshua Brindle: "Re: Where to specific the handling of unknown kernel classes and perms" Reply: Joshua Brindle: "Re: Where to specific the handling of unknown kernel classes and perms" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom