Defining new access vectors & security classes in policy modules ?

Daniel P. Berrange berrange at redhat.com
Mon Jan 23 16:07:25 UTC 2012 

On Mon, Jan 23, 2012 at 10:49:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> > wrote:
> >> I'm working on adding fine grained access control to libvirt and
> >> need to define a bunch of new object classes & their
> >> corresponding access vectors.
> >> 
> >> For the sake of simplifying my developement / testing cycle, I'm
> >> wondering if it is possible to define access vectors / security
> >> classes in the individual policy module files, rather than in the
> >> top level global flash/{access_vectors,security_classes} file,
> >> which would require me to rebuild the entire policy for every
> >> change I make.
> I don't this is supported.  IE Putting these into a module will not work.

Ok, I guess I better do a more thorough job of analysing the libvirt
APIs to identify access vectors before I go further then.


> > Also, I see the 'security_deny_unknown()' method call tell you
> > whether the kernel policy wants unknown object classes/access
> > vectors to be treated as a denial or not. Is it possible to toggle
> > the allow/deny behaviour with a runtime tunable as we setenforce,
> > or is it hardcoded in the policy ?
> > 
> > Regards, Daniel
> I don't think you can toggle this.  It might be possible to put
> something into semanage to turn on and off this flag but currently
> this is a base policy issue.

Don't worry about it - this isn't a feature I actively need - I was
just wondering if it was there so I could do some tests, nothing I
can't do without.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the selinux mailing list