Object Classes and kernel

11-03-2011, 11:30 AM

Hi,

how can kernel distinguishes objects in system and object in policy? I
mean. How kernel know, that this allow rule is correct to /etc/passwd
and not correct for /etc itself (as dir):
allow httpd_t etc_t : file { ioctl read getattr lock open } ;

Ok, it is written in policy, that it is a file, but it is only a object
class. Is it defined somewher, that object class 'file' is file, and
object class 'dir' is directory?

How can I create new object class named foo, which will be usedd for
named_pipe?

Regards

--
Artur Szymczak | RHCE: 100-001-734 | CAcert Assurer
RHCA, RHCSS, RHCX, CLE11, CNI, UCP-1, UCI, Linux+, LPIC-2
GPG: C03A 385E 5C10 82C5 6564 C1E9 3D6A 616E B15D 122D
http://CodzienneChodzenieZBogiem.blogspot.com/

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinuxNï¿½ï¿½ï¿½m5ï¿½ï¿½ï¿½ï¿½ï¿½z{hï¿½ï¿½.ï¿½Ç¬ qï¿½ï¿½ï¿½Iï¿½)zï¿½ï¿½ibï¿½ï¿½ï¿½ï¿½ï¿½7ï¿½ï¿½ï¿½ï ¿½y8nï¿½hï¿½m5ï¿½7ï¿½ï¿½4Eï¿½ï¿½&ï¿½ï¿½ï¿½qï¿½ï¿½ï ¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½o+6ï¿½ï¿½Ú¶*lï¿½ï¿½0ï¿½ï¿½ï¿½k iï¿½ï¿½ï¿½&#x1E5897;ï¿½ï¿½ï¿½ï¿½z{hï¿½ï¿½.ï¿½Ç¬q ï¿½ï¿½ï¿½'uDï¿½ï¿½4ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½{ï¿½jï¿½!ï¿½ ï¿½ï¿½Í¢ï¿½ï¿½ï¿½ï¿½ï¿½z+ï¿½ï¿½ï¿½Ç§ï¿½ï¿½(ï¿½ï¿½]zï¿½,ï¿½ï¿½5Û½4Õ¼ï¿½j)z{hï¿½ï¿½ï¿½-~,pï¿½ï¿½Hï¿½ï¿½ï¿½_:ï¿½Nï¿½6ï¿½ï¿½ï¿½N4ï¿½ï¿½ï¿ ½)Ú•:z{hï¿½Ç§ï¿½ï¿½(ï¿½Þ–+Þ*ï¿½Ç§ï¿½ï¿½z{hï¿½ï¿ ½ï¿½ï¿½ï¿½&qï¿½ï¿½hï¿½ï¿½fï¿½ï¿½)ï¿½ï¿½ï¿½ï¿½[-jØœ ï¿½zwï¿½ï¿½]ï¿½Wï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½"ï¿½13ï¿½ï¿½ï¿½ï¿½ï ¿½ï¿½ï¿½qï¿½ï¿½ï¿½8nï¿½/ï¿½uï¿½ï¿½AMï¿½z+ï¿½ï¿½ï¿½ï¿½]}ï¿½ï¿½ï¿½ï¿½'{ï¿½6ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½z+ï¿½ï¿½×¯ 9ï¿½ï¿½ï¿½gï¿½z{Þ–ï¿½^~ï¿½&ï¿½ï¿½ÞŸ:%ï¿½ï¿½ï¿½Î‰ï¿ ½ï¿½Ø§{7ï¿½ï¿½'yï¿½"ï¿½ï¿½j)lqï¿½ï¿½ï¿½ï¿½ï¿½j}=ï ¿½ß;
Wï¿½ï¿½ï¿½ï¿½ï¿½ï¿½ï¿½Ï®ï¿½ï¿½Çï¿½}4ï¿½<ï¿½ï¿½M Í¢ï¿½ï¿½ï¿½ï¿½4Eï¿½ï¿½&ï¿½y'ï¿½ ï¿½ï¿½ï¿½khï¿½Ihqï¿½uï¿½ï¿½ï¿½ï¿½ï¿½z|"ï¿½ï¿½ï¿ ½,ï¿½Ûžï¿½ï¿½rï¿½ï¿½ï¿½ï¿½3ï¿½ï¿½uï¿½ï¿½ï¿½ï ¿½ï¿½ï¿½ï¿½ >o/tï¿½ï¿½z|è™ªï¿½ï¿½zï¿½ï¿½ï¿½MÍ¢ï¿½ï¿½ï¿½ï¿½ï¿½

11-03-2011, 01:31 PM

The names of objects, types and other things in policy are simply
opaque string identifiers; they hold no intrinsic meaning. *It is
their usage in object managers and in the policy configuration itself
that gives them meaning. *The object class for directories could very
well have been named "foo"; object managers would simply then use this
string (or its integer constant equivalent) when referring to
directories in interaction with the security server.
For more information, please refer to "Configuring the SELinux
Policy," at http://www.nsa.gov/research/_files/selinux/papers/policy2/x109.shtml.
*The page pointed to by that URL contains an explanation TE types and
their lack of implicit meaning, being defined only through their
usage.
Thanks,David
On Thu, Nov 3, 2011 at 8:30 AM, Artur Szymczak <artur@nadzieja.pl> wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy? I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?
>
> Regards
>
> --
> Artur Szymczak | RHCE: 100-001-734 | CAcert Assurer
> RHCA, RHCSS, RHCX, CLE11, CNI, UCP-1, UCI, Linux+, LPIC-2
> GPG: C03A 385E 5C10 82C5 6564 C1E9 3D6A 616E B15D 122D
> http://CodzienneChodzenieZBogiem.blogspot.com/
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
PGP: 6141 5FFD 11AE 9844 153E *F268 7C98 7268 6B19 6CC9
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

11-03-2011, 01:54 PM

On 11/03/2011 08:30, Artur Szymczak wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy?
> I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a
> object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?
>
> Regards

Apologies if this goes through twice I sent it from the wrong email
address.

With regards to adding a new object class and permission this link goes
over how to add permissions but you can use the same technique for
adding an object class as well. [1]

[1]http://www.selinuxproject.org/page/Adding_New_Permissions

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

11-04-2011, 11:41 AM

On Thu, 2011-11-03 at 13:30 +0100, Artur Szymczak wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy? I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?

Others have explained how to define new classes in the policy, but to
actually have that class used by the kernel, you need to modify the
SELinux hook functions to use the class. If you look at
security/selinux/hooks.c in the kernel sources, you'll see references to
SECCLASS_*. Those symbols are generated from the
security/selinux/include/classmap.h file, as are the permission symbol
definitions.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux