Re: adding objects classes and permissions to policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Smalley wrote: 
On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
  
On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
    
When adding new object classes and permissions to SELinux policy is it
necessary to re-create flask.h and av_permissions.h header files so
that a user-space object manager can access the associated defines? If
so, would someone give me some pointers as to how these are
generated? 
      
You should use the dynamic class/permission lookup facilities for any
new code.  man selinux_set_mapping

XSELinux and SE-PostgreSQL are already using it I believe.
I can't find any evidence that my version of libselinux contains the selinux_set_mapping function. I am using CentOS 5.1 with libselinux version 1.33.4. I have been learning RHEL 5 tends to be a bit behind the times with regards to SELinux functionality. Does libselinux 1.33.4 not have the dynamic class/permission lookup facilities? If it does not, any advice on how to add object classes / permissions to policy ? Moving to Fedora is a possibility, maybe it's worth considering as this would not be the first issue we have had with an outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does not have the database related object classes /permissions in the base policy where the most recent Fedora does, hence my need to add the object classes /permissions in RHEL 5.

Example usage from XSELinux:
http://marc.info/?l=selinux&m=118114723416269&w=2
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux