Re: Defining new access vectors & security classes in policy modules ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
wrote:
> I'm working on adding fine grained access control to libvirt and
> need to define a bunch of new object classes & their
> corresponding access vectors.
>
> For the sake of simplifying my developement / testing cycle, I'm
> wondering if it is possible to define access vectors / security
> classes in the individual policy module files, rather than in the
> top level global flash/{access_vectors,security_classes} file,
> which would require me to rebuild the entire policy for every
> change I make.
I don't this is supported. IE Putting these into a module
will not work.
Also, I see the 'security_deny_unknown()' method call tell you
whether the kernel policy wants unknown object classes/access
vectors to be treated as a denial or not. Is it possible to toggle
the allow/deny behaviour with a runtime tunable as we setenforce,
or is it hardcoded in the policy ?
Regards, Daniel
I don't think you can toggle this. It might be possible to
put
something into semanage to turn on and off this flag but currently
this is a base policy issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc
ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io=
=7TUW
-----END PGP SIGNATURE-----