Defining new access vectors & security classes in policy modules ?
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 23 15:49:36 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> wrote:
>> I'm working on adding fine grained access control to libvirt and
>> need to define a bunch of new object classes & their
>> corresponding access vectors.
>>
>> For the sake of simplifying my developement / testing cycle, I'm
>> wondering if it is possible to define access vectors / security
>> classes in the individual policy module files, rather than in the
>> top level global flash/{access_vectors,security_classes} file,
>> which would require me to rebuild the entire policy for every
>> change I make.
I don't this is supported. IE Putting these into a module will not work.
>
> Also, I see the 'security_deny_unknown()' method call tell you
> whether the kernel policy wants unknown object classes/access
> vectors to be treated as a denial or not. Is it possible to toggle
> the allow/deny behaviour with a runtime tunable as we setenforce,
> or is it hardcoded in the policy ?
>
> Regards, Daniel
I don't think you can toggle this. It might be possible to put
something into semanage to turn on and off this flag but currently
this is a base policy issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc
ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io=
=7TUW
-----END PGP SIGNATURE-----
More information about the selinux
mailing list