Re: temporal role base access control in Linux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
avc_has perm() is for checking if permissions are granted or not (Access Vector Cache),
A proper method of extending security functionality would be using LSM APIs and SELinux Hooks (LSM: Linux Security Module) 

http://www.nsa.gov/research/_files/selinux/papers/module/x280.shtml
But TRBAC can be simulated with SELinux even without writing specific code or modifying SELinux, by combining appropriate predefined set of policies and a scheduler process or hierarchical scheduler with enough (higher) privileges to load policies on the fly,
Of course if such usage does not need atomic role/policy entry (I don't see any practical use for such atomic role entry anyway) 

You can find more on implementation here:
http://selinuxproject.org/page/NB_LSM
I'm sorry but with all due respects, I don't know if helping people in Iran on the subject is legal or not (I'm not a Lawyer) but judging from sources of your mail (which is Iran), I prefer not to be involved in any particular help.
Anyway this is a project develped primarily by the National Security Agency of the USA, and its contributors. 



Yours,

Patrick K.




On 11/7/2010 7:20 AM, Behnaz Hassanshahi wrote:

Hi,
I want to enforce temporal role base access control to Fedora10
platform. Therefore, I have written a piece of code which receives
simple temporal policy rules and updates a file in which disallowed
roles are being kept. In order to attach the code to the fedora core, I
am making use of SELinux modules. I wonder if avc_has_perm(...) function
in /libselinex/src/avc.c can be the right place for using my code where
requests will be granted or denied access. Actually, I had thought about
getting the role field from the security_id_t (@ssid) and compare it
with the denied roles that my code computes. If I`m wrong and this will
not work out, is there any other suggestions for attaching my code to
SELinux?

Best regards,
Behnaz





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux