On Thu, 2008-06-12 at 15:20 -0400, Stephen Smalley wrote: > On Thu, 2008-06-12 at 14:05 -0500, Xavier Toth wrote: > > On Thu, Jun 12, 2008 at 1:48 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > > > On Thu, 2008-06-12 at 13:38 -0500, Xavier Toth wrote: > > >> I wasn't aware until yesterday that there was an API for looking up > > >> security classes (selinux_set_mapping, the name of which doesn't > > >> strike me as very intuitive). Can I also lookup the access vectors for > > >> a class, if so how? > > > > > > selinux_set_mapping() does that too. dynamic discovery of classes and > > > permissions was discussed quite a bit on list. XSELinux uses it, and so > > > does SE-Postgres. > > > > > > -- > > > Stephen Smalley > > > National Security Agency > > > > > > > > > > I see the posting of the patch but no discussion. Yesterday Eamon > > posted an example of setting the mapping of a security class but it > > didn't address perms. I have some python code where I'm calling > > selinux.avc_has_perm_noaudit and have been using hard coded values for > > the security class and perm. I'd like to fix this code but am not sure > > if this or some other capability I'm unaware of will do the trick. > > See: > http://marc.info/?l=selinux&m=118114723416269&w=2 > > Then your code can use your own set of private definitions for class and > permission values that are just indices starting from 1, and the > libselinux avc will map them to the kernel/policy values automatically. BTW, I agree that all of this ought to be captured in a man page EXAMPLES section. Worked examples in XSELinux and SE-Postgres are nice but not quite enough for others to use. And we want existing object managers like dbusd and nscd to convert over to the new interfaces. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
