FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-03-2011, 11:30 AM
Artur Szymczak
 
Default Object Classes and kernel

Hi,

how can kernel distinguishes objects in system and object in policy? I
mean. How kernel know, that this allow rule is correct to /etc/passwd
and not correct for /etc itself (as dir):
allow httpd_t etc_t : file { ioctl read getattr lock open } ;

Ok, it is written in policy, that it is a file, but it is only a object
class. Is it defined somewher, that object class 'file' is file, and
object class 'dir' is directory?

How can I create new object class named foo, which will be usedd for
named_pipe?

Regards

--
Artur Szymczak | RHCE: 100-001-734 | CAcert Assurer
RHCA, RHCSS, RHCX, CLE11, CNI, UCP-1, UCI, Linux+, LPIC-2
GPG: C03A 385E 5C10 82C5 6564 C1E9 3D6A 616E B15D 122D
http://CodzienneChodzenieZBogiem.blogspot.com/

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinuxN���m5�����z{h��.�Ǭ q���I�)z��ib�����7��� y8n�h�m5�7��4E��&���q�� ������o+6��ڶ*l��0���k i��������z{h��.�Ǭq ���'uD��4������{�j�!� ��͢�����z+���ǧ��(� �]z�,��5۽4ռ�j)z{h���-~,p��H���_:�N�6���N4�� )ڕ:z{h�ǧ��(�ޖ+*�ǧ��z{h� ���&q��h��f��)����[-j؜ �zw��]�W�������"�13���� ��q���8n�/�u��AM�z+����]}����'{�6�������z+��ׯ 9���g�z{ޖ�^~�&��ޟ:%���Ή �ا{7��'y�"��j)lq�����j}= ߍ;
W�������Ϯ��ǝ�}4�<��M ͢����4E��&�y'� ���kh�Ihq�u�����z|"�� ,�۞��r����3��u��� ��� >o/t��z|虪��z���M͢�����
 
Old 11-03-2011, 01:31 PM
David Windsor
 
Default Object Classes and kernel

The names of objects, types and other things in policy are simply
opaque string identifiers; they hold no intrinsic meaning. *It is
their usage in object managers and in the policy configuration itself
that gives them meaning. *The object class for directories could very
well have been named "foo"; object managers would simply then use this
string (or its integer constant equivalent) when referring to
directories in interaction with the security server.
For more information, please refer to "Configuring the SELinux
Policy," at http://www.nsa.gov/research/_files/selinux/papers/policy2/x109.shtml.
*The page pointed to by that URL contains an explanation TE types and
their lack of implicit meaning, being defined only through their
usage.
Thanks,David
On Thu, Nov 3, 2011 at 8:30 AM, Artur Szymczak <artur@nadzieja.pl> wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy? I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?
>
> Regards
>
> --
> Artur Szymczak | RHCE: 100-001-734 | CAcert Assurer
> RHCA, RHCSS, RHCX, CLE11, CNI, UCP-1, UCI, Linux+, LPIC-2
> GPG: C03A 385E 5C10 82C5 6564 C1E9 3D6A 616E B15D 122D
> http://CodzienneChodzenieZBogiem.blogspot.com/
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux



--
PGP: 6141 5FFD 11AE 9844 153E *F268 7C98 7268 6B19 6CC9
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-03-2011, 01:54 PM
David Quigley
 
Default Object Classes and kernel

On 11/03/2011 08:30, Artur Szymczak wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy?
> I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a
> object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?
>
> Regards

Apologies if this goes through twice I sent it from the wrong email
address.


With regards to adding a new object class and permission this link goes
over how to add permissions but you can use the same technique for
adding an object class as well. [1]


[1]http://www.selinuxproject.org/page/Adding_New_Permissions

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-04-2011, 11:41 AM
Stephen Smalley
 
Default Object Classes and kernel

On Thu, 2011-11-03 at 13:30 +0100, Artur Szymczak wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy? I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?

Others have explained how to define new classes in the policy, but to
actually have that class used by the kernel, you need to modify the
SELinux hook functions to use the class. If you look at
security/selinux/hooks.c in the kernel sources, you'll see references to
SECCLASS_*. Those symbols are generated from the
security/selinux/include/classmap.h file, as are the permission symbol
definitions.

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 06:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org