On Mon, Jan 23, 2012 at 10:49:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/20/2012 08:11 AM, Daniel P. Berrange wrote:
> > On Fri, Jan 20, 2012 at 12:46:07PM +0000, Daniel P. Berrange
> > wrote:
> >> I'm working on adding fine grained access control to libvirt and
> >> need to define a bunch of new object classes & their
> >> corresponding access vectors.
> >>
> >> For the sake of simplifying my developement / testing cycle, I'm
> >> wondering if it is possible to define access vectors / security
> >> classes in the individual policy module files, rather than in the
> >> top level global flash/{access_vectors,security_classes} file,
> >> which would require me to rebuild the entire policy for every
> >> change I make.
> I don't this is supported. IE Putting these into a module will not work.
Ok, I guess I better do a more thorough job of analysing the libvirt
APIs to identify access vectors before I go further then.
> > Also, I see the 'security_deny_unknown()' method call tell you
> > whether the kernel policy wants unknown object classes/access
> > vectors to be treated as a denial or not. Is it possible to toggle
> > the allow/deny behaviour with a runtime tunable as we setenforce,
> > or is it hardcoded in the policy ?
> >
> > Regards, Daniel
> I don't think you can toggle this. It might be possible to put
> something into semanage to turn on and off this flag but currently
> this is a base policy issue.
Don't worry about it - this isn't a feature I actively need - I was
just wondering if it was there so I could do some tests, nothing I
can't do without.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
