Defining new access vectors & security classes in policy modules ?
Daniel P. Berrange
berrange at redhat.com
Fri Jan 20 13:11:15 UTC 2012
On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange wrote:
> I'm working on adding fine grained access control to libvirt and need to
> define a bunch of new object classes & their corresponding access
> vectors.
>
> For the sake of simplifying my developement / testing cycle, I'm wondering
> if it is possible to define access vectors / security classes in the
> individual policy module files, rather than in the top level global
> flash/{access_vectors,security_classes} file, which would require me to
> rebuild the entire policy for every change I make.
Also, I see the 'security_deny_unknown()' method call tell you whether
the kernel policy wants unknown object classes/access vectors to be
treated as a denial or not. Is it possible to toggle the allow/deny
behaviour with a runtime tunable as we setenforce, or is it hardcoded
in the policy ?
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the selinux
mailing list