-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2012 08:11 AM, Daniel P. Berrange wrote: > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange > wrote: >> I'm working on adding fine grained access control to libvirt and >> need to define a bunch of new object classes & their >> corresponding access vectors. >> >> For the sake of simplifying my developement / testing cycle, I'm >> wondering if it is possible to define access vectors / security >> classes in the individual policy module files, rather than in the >> top level global flash/{access_vectors,security_classes} file, >> which would require me to rebuild the entire policy for every >> change I make. I don't this is supported. IE Putting these into a module will not work. > > Also, I see the 'security_deny_unknown()' method call tell you > whether the kernel policy wants unknown object classes/access > vectors to be treated as a denial or not. Is it possible to toggle > the allow/deny behaviour with a runtime tunable as we setenforce, > or is it hardcoded in the policy ? > > Regards, Daniel I don't think you can toggle this. It might be possible to put something into semanage to turn on and off this flag but currently this is a base policy issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAk8dgZAACgkQrlYvE4MpobNLZgCeM0HLS/tVUrYFkdanCCwec5oc ds8AlAxpPqVmyqBSA7XbF+AEOh1b9io= =7TUW -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux