fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Defining new access vectors & security c

Re: Defining new access vectors & security classes in policy modules ?

From: Daniel P. Berrange <berrange_at_nospam>
Date: Mon Jan 23 2012 - 16:07:25 GMT
To: Daniel J Walsh <dwalsh@redhat.com>

On Mon, Jan 23, 2012 at 10:49:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> > wrote:
> >> I'm working on adding fine grained access control to libvirt and
> >> need to define a bunch of new object classes & their
> >> corresponding access vectors.
> >>
> >> For the sake of simplifying my developement / testing cycle, I'm
> >> wondering if it is possible to define access vectors / security
> >> classes in the individual policy module files, rather than in the
> >> top level global flash/{access_vectors,security_classes} file,
> >> which would require me to rebuild the entire policy for every
> >> change I make.
> I don't this is supported. IE Putting these into a module will not work.

Ok, I guess I better do a more thorough job of analysing the libvirt
APIs to identify access vectors before I go further then.

> > Also, I see the 'security_deny_unknown()' method call tell you
> > whether the kernel policy wants unknown object classes/access
> > vectors to be treated as a denial or not. Is it possible to toggle
> > the allow/deny behaviour with a runtime tunable as we setenforce,
> > or is it hardcoded in the policy ?
> >
> > Regards, Daniel
> I don't think you can toggle this. It might be possible to put
> something into semanage to turn on and off this flag but currently
> this is a base policy issue.

Don't worry about it - this isn't a feature I actively need - I was
just wondering if it was there so I could do some tests, nothing I
can't do without.

Daniel
-- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux