On Thu, 2011-11-03 at 13:30 +0100, Artur Szymczak wrote:
Hi,
how can kernel distinguishes objects in system and object in policy? I
mean. How kernel know, that this allow rule is correct to /etc/passwd
and not correct for /etc itself (as dir):
allow httpd_t etc_t : file { ioctl read getattr lock open } ;
Ok, it is written in policy, that it is a file, but it is only a object
class. Is it defined somewher, that object class 'file' is file, and
object class 'dir' is directory?
How can I create new object class named foo, which will be usedd for
named_pipe?
Others have explained how to define new classes in the policy, but to
actually have that class used by the kernel, you need to modify the
SELinux hook functions to use the class. If you look at
security/selinux/hooks.c in the kernel sources, you'll see references to
SECCLASS_*. Those symbols are generated from the
security/selinux/include/classmap.h file, as are the permission symbol
definitions.
--
Stephen Smalley
National Security Agency