I'm working on adding fine grained access control to libvirt and need to
define a bunch of new object classes & their corresponding access
vectors.

For the sake of simplifying my developement / testing cycle, I'm wondering
if it is possible to define access vectors / security classes in the
individual policy module files, rather than in the top level global
flash/{access_vectors,security_classes} file, which would require me to
rebuild the entire policy for every change I make.

Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange wrote:
> I'm working on adding fine grained access control to libvirt and need to
> define a bunch of new object classes & their corresponding access
> vectors.
>
> For the sake of simplifying my developement / testing cycle, I'm wondering
> if it is possible to define access vectors / security classes in the
> individual policy module files, rather than in the top level global
> flash/{access_vectors,security_classes} file, which would require me to
> rebuild the entire policy for every change I make.

Also, I see the 'security_deny_unknown()' method call tell you whether
the kernel policy wants unknown object classes/access vectors to be
treated as a denial or not. Is it possible to toggle the allow/deny
behaviour with a runtime tunable as we setenforce, or is it hardcoded
in the policy ?

Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> wrote:
>> I'm working on adding fine grained access control to libvirt and
>> need to define a bunch of new object classes & their
>> corresponding access vectors.
>>
>> For the sake of simplifying my developement / testing cycle, I'm
>> wondering if it is possible to define access vectors / security
>> classes in the individual policy module files, rather than in the
>> top level global flash/{access_vectors,security_classes} file,
>> which would require me to rebuild the entire policy for every
>> change I make.
I don't this is supported. IE Putting these into a module will not work.
>
> Also, I see the 'security_deny_unknown()' method call tell you
> whether the kernel policy wants unknown object classes/access
> vectors to be treated as a denial or not. Is it possible to toggle
> the allow/deny behaviour with a runtime tunable as we setenforce,
> or is it hardcoded in the policy ?
>
> Regards, Daniel
I don't think you can toggle this. It might be possible to put
something into semanage to turn on and off this flag but currently
this is a base policy issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc
ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io=
=7TUW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

On Mon, Jan 23, 2012 at 10:49:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> > wrote:
> >> I'm working on adding fine grained access control to libvirt and
> >> need to define a bunch of new object classes & their
> >> corresponding access vectors.
> >>
> >> For the sake of simplifying my developement / testing cycle, I'm
> >> wondering if it is possible to define access vectors / security
> >> classes in the individual policy module files, rather than in the
> >> top level global flash/{access_vectors,security_classes} file,
> >> which would require me to rebuild the entire policy for every
> >> change I make.
> I don't this is supported. IE Putting these into a module will not work.

Ok, I guess I better do a more thorough job of analysing the libvirt
APIs to identify access vectors before I go further then.


> > Also, I see the 'security_deny_unknown()' method call tell you
> > whether the kernel policy wants unknown object classes/access
> > vectors to be treated as a denial or not. Is it possible to toggle
> > the allow/deny behaviour with a runtime tunable as we setenforce,
> > or is it hardcoded in the policy ?
> >
> > Regards, Daniel
> I don't think you can toggle this. It might be possible to put
> something into semanage to turn on and off this flag but currently
> this is a base policy issue.

Don't worry about it - this isn't a feature I actively need - I was
just wondering if it was there so I could do some tests, nothing I
can't do without.

Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux