Defining new access vectors & security classes in policy modules ?
I'm working on adding fine grained access control to libvirt and need to
define a bunch of new object classes & their corresponding access vectors. For the sake of simplifying my developement / testing cycle, I'm wondering if it is possible to define access vectors / security classes in the individual policy module files, rather than in the top level global flash/{access_vectors,security_classes} file, which would require me to rebuild the entire policy for every change I make. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Defining new access vectors & security classes in policy modules ?
On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange wrote:
> I'm working on adding fine grained access control to libvirt and need to > define a bunch of new object classes & their corresponding access > vectors. > > For the sake of simplifying my developement / testing cycle, I'm wondering > if it is possible to define access vectors / security classes in the > individual policy module files, rather than in the top level global > flash/{access_vectors,security_classes} file, which would require me to > rebuild the entire policy for every change I make. Also, I see the 'security_deny_unknown()' method call tell you whether the kernel policy wants unknown object classes/access vectors to be treated as a denial or not. Is it possible to toggle the allow/deny behaviour with a runtime tunable as we setenforce, or is it hardcoded in the policy ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Defining new access vectors & security classes in policy modules ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 01/20/2012 08:11 AM, Daniel P. Berrange wrote: > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange > wrote: >> I'm working on adding fine grained access control to libvirt and >> need to define a bunch of new object classes & their >> corresponding access vectors. >> >> For the sake of simplifying my developement / testing cycle, I'm >> wondering if it is possible to define access vectors / security >> classes in the individual policy module files, rather than in the >> top level global flash/{access_vectors,security_classes} file, >> which would require me to rebuild the entire policy for every >> change I make. I don't this is supported. IE Putting these into a module will not work. > > Also, I see the 'security_deny_unknown()' method call tell you > whether the kernel policy wants unknown object classes/access > vectors to be treated as a denial or not. Is it possible to toggle > the allow/deny behaviour with a runtime tunable as we setenforce, > or is it hardcoded in the policy ? > > Regards, Daniel I don't think you can toggle this. It might be possible to put something into semanage to turn on and off this flag but currently this is a base policy issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io= =7TUW -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Defining new access vectors & security classes in policy modules ?
On Mon, Jan 23, 2012 at 10:49:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/20/2012 08:11 AM, Daniel P. Berrange wrote: > > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange > > wrote: > >> I'm working on adding fine grained access control to libvirt and > >> need to define a bunch of new object classes & their > >> corresponding access vectors. > >> > >> For the sake of simplifying my developement / testing cycle, I'm > >> wondering if it is possible to define access vectors / security > >> classes in the individual policy module files, rather than in the > >> top level global flash/{access_vectors,security_classes} file, > >> which would require me to rebuild the entire policy for every > >> change I make. > I don't this is supported. IE Putting these into a module will not work. Ok, I guess I better do a more thorough job of analysing the libvirt APIs to identify access vectors before I go further then. > > Also, I see the 'security_deny_unknown()' method call tell you > > whether the kernel policy wants unknown object classes/access > > vectors to be treated as a denial or not. Is it possible to toggle > > the allow/deny behaviour with a runtime tunable as we setenforce, > > or is it hardcoded in the policy ? > > > > Regards, Daniel > I don't think you can toggle this. It might be possible to put > something into semanage to turn on and off this flag but currently > this is a base policy issue. Don't worry about it - this isn't a feature I actively need - I was just wondering if it was there so I could do some tests, nothing I can't do without. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 07:43 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.