On Mon, 2008-01-14 at 14:06 +0000, David Howells wrote:
> David Howells <dhowells@xxxxxxxxxx> wrote:
>
> > Okay... It looks like I want four security operations/hooks for cachefiles:
>
> FYI, I added the following vectors:
>
> # kernel services that need to override task security
> class kernel_service
> {
> use_as_override
> create_files_as
> }
>
> The first allows:
>
> avc_has_perm(daemon_tsec->sid, nominated_sid,
> SECCLASS_KERNEL_SERVICE,
> KERNEL_SERVICE__USE_AS_OVERRIDE,
> NULL);
>
> And the second something like:
>
> avc_has_perm(tsec->sid, inode->sid,
> SECCLASS_KERNEL_SERVICE,
> KERNEL_SERVICE__CREATE_FILES_AS,
> NULL);
>
> Rather than specifically dedicating them to the cache, I made them general.
Make sure that you or Dan submits a policy patch to register these
classes and permissions in the policy when the kernel patch is queued
for merge.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
