At 2011-03-18£¬"Stephen Smalley" <sds@xxxxxxxxxxxxx> wrote:
>On Fri, 2011-03-18 at 08:43 +0800, Yao wrote:
>> Hi, all
>> I looked at linux-2.6.36/security/selinux/ss/*.c and found most source
>> files include <linux/***.h>
>> I know security server need to use some of kernel data structures.
>> But does ss use kernel fuctions?
>> Is it possible to modify security server and make it self-contained if
>> ss used kernel function?
>
>The original security server code was developed for another OS
>(Fluke/Flask) and then ported to Linux. There are a small number of
>fundamental dependencies on the runtime environment, like memory
>allocation, logging/auditing, locking, etc. Over time, the security
>server code in Linux has become increasingly "nativized" for Linux so
>you may find further dependencies in the current code.
>
so, it's hard to modify ss to make it self-contained, right?
I just wonder if there is a security module without invoking kernel function but to support flask, though kernel data is permitted...
Is AppArmor fit to my desire?
>You'll find other forms of the security server code that may be more
>portable in:
>1) The SELinux userspace (http://userspace.selinuxproject.org)
>In particular, a copy of the security server code lives in libsepol.
>Originally there was a single code base shared between
>checkpolicy/libsepol and the kernel, but this was forked when SELinux
>went into mainline.
>
>2) The OSKit (http://www.cs.utah.edu/flux/oskit/)
>This was used in Fluke/Flask. Security server is under security/, AVC
>is in com/avc.c.
>
>3) Various ports of SELinux to other systems
>(http://www.nsa.gov/research/selinux/related.shtml)
>
>--
>Stephen Smalley
>National Security Agency
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
>the words "unsubscribe selinux" without quotes as the message.
