On Thu, 2011-11-03 at 13:30 +0100, Artur Szymczak wrote: > Hi, > > how can kernel distinguishes objects in system and object in policy? I > mean. How kernel know, that this allow rule is correct to /etc/passwd > and not correct for /etc itself (as dir): > allow httpd_t etc_t : file { ioctl read getattr lock open } ; > > Ok, it is written in policy, that it is a file, but it is only a object > class. Is it defined somewher, that object class 'file' is file, and > object class 'dir' is directory? > > How can I create new object class named foo, which will be usedd for > named_pipe? Others have explained how to define new classes in the policy, but to actually have that class used by the kernel, you need to modify the SELinux hook functions to use the class. If you look at security/selinux/hooks.c in the kernel sources, you'll see references to SECCLASS_*. Those symbols are generated from the security/selinux/include/classmap.h file, as are the permission symbol definitions. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux