On Thu, 2011-11-03 at 13:30 +0100, Artur Szymczak wrote:
> Hi,
>
> how can kernel distinguishes objects in system and object in policy? I
> mean. How kernel know, that this allow rule is correct to /etc/passwd
> and not correct for /etc itself (as dir):
> allow httpd_t etc_t : file { ioctl read getattr lock open } ;
>
> Ok, it is written in policy, that it is a file, but it is only a object
> class. Is it defined somewher, that object class 'file' is file, and
> object class 'dir' is directory?
>
> How can I create new object class named foo, which will be usedd for
> named_pipe?
Others have explained how to define new classes in the policy, but to
actually have that class used by the kernel, you need to modify the
SELinux hook functions to use the class. If you look at
security/selinux/hooks.c in the kernel sources, you'll see references to
SECCLASS_*. Those symbols are generated from the
security/selinux/include/classmap.h file, as are the permission symbol
definitions.
--
Stephen Smalley
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
