David, Stephen && Shaz,
tnx for your answers. It helped me alot.
--
Sebastian Pfaff
Sebastian,
I think Steve covered it fairly well. The description in the book was
defining the object managers in a more abstract way; i.e., defining
the
kernel subsystems as object managers. As Steve said, in reality, the
entire kernel is the object manager for all of the kernel objects
(files, directories, sockets, etc) because the code is all in kernel
space. The user space object managers (e.g., X, dbus, sepostgres,
etc.)
are individual object managers in that they all operate in separate
process space outside of the kernel and enforce decisions on access to
objects they define.
We didn't mean to say or imply that the LSM hooks were each object
managers. They are, as Steve said, enforcement points hooked into the
appropriate kernel subsystems that manage the relevant kernel objects.
In the book we were trying to strike a balance between abstraction of
concepts and actual implementation details.
David
-----Original Message-----
From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-
selinux@xxxxxxxxxxxxx]
On Behalf Of Sebastian Pfaff
Sent: Friday, July 24, 2009 8:59 AM
To: Stephen Smalley; selinux@xxxxxxxxxxxxx
Subject: Re: what is an object manager?!
ok, you're trying to tell me that a lsm hook is something similar
to
what an object manager is in FLASK architecture. But in general,
all
LSM hooks as a whole can be considered as one object manager, since
in
the monolithic linux kernel there are no different object managers.
The kernel is the object manager. The hooks are merely the points
at
which the kernel/object manager is instrumented to enforce a policy
decision.
k, thank you. I think i got it.
Now there is one object manager and libselinux exports an
interface
to the userspace object managers.
Stephen is referening to FLASK/FLUKE a predecessor of SELinux on
micrkernel architecture.
I'm not not sure, if stephen was referreing to FLASK. For me, he
referred to the current state in linux.
I think I described both in that paragraph.
k
X server is an object manager for its own resources that it
manages
and so is Gconf. Dbus is object manager of its IPC objects. The in
kernel security server is the PDP for all while the PEPs are
kernel
object managers and the userspace object manager (some mentioned
earlier).
what is PDP und what is PEP(s)?
Policy decision point, policy enforcement point. Just another
terminology for the same concepts.
tnx
--
Sebastian Pfaff
--
This message was distributed to subscribers of the selinux mailing
list.
If you no longer wish to subscribe, send mail to
majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
