--- David Howells <dhowells@xxxxxxxxxx> wrote: > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > That sounds workable, although I think he will want a more specific hook > > than security_secctx_to_secid(), or possibly a second hook call, that > > would not only validate the context but authorize the use of it by the > > cachefilesd process. And then the security_task_kernel_act_as() hook > > just takes the secid as input rather than the task struct of the daemon, > > and applies it. At that point, nfsd can use the same mechanism for > > setting the acting SID based on the client process after doing its own > > authorization. > > I thought using secids was verboten as it made things too specific. I have argued that in the past. I'm reasonably convinced that I have lost that argument at least for the immediate future as audit, usb, and networking are all dependent on them. I can't image an LSM that manages to avoid them, at least for the short term. If secid's are ever expundged from the kernel cachefiles will require reeducation, but that will be a minor effort. > Have you example code for the security hook you mention? I'm not sure I > understand why security_secctx_to_secid() is not sufficient. > > Or is it that I need something that takes a secctx, converts it to a secid > and > authorises its use all in one go? > If it's this, why can't that be rolles > into > security_task_kernel_act_as()? That sets up a task_security struct which is > then switched in and out without consultation of the LSM. It would seem to me that security_secctx_to_secid() ought to suffice if the application code was written correctly. Be aware that factors outside the LSM may be important, too. As Stephen points out elsewhere, Smack will require you have particular capabilities (CAP_MAC_OVERRIDE, CAP_MAC_ADMIN) while a DAC LSM may require CAP_DAC_OVERRIDE. SELinux is likely to be the odd duck in this pond in that it does not use the capability mechanism in the way Nature intends it to be, opting to treat "privilege" with a completely different model. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.