> AtÂ2011-03-18ï"StephenÂSmalley"Â<sds@xxxxxxxxxxxxx>Âwrote: > > >OnÂFri,Â2011-03-18ÂatÂ08:43Â+0800,ÂYaoÂwrote: > >>ÂHi,Âall > >>ÂIÂlookedÂatÂlinux-2.6.36/security/selinux/ss/*.cÂandÂfoundÂmostÂsource > >>ÂfilesÂincludeÂ<linux/***.h> > >>ÂIÂknowÂsecurityÂserverÂneedÂtoÂuseÂsomeÂofÂkernelÂdataÂstructures. > >>ÂButÂdoesÂssÂuseÂkernelÂfuctions? > >>ÂIsÂitÂpossibleÂtoÂmodifyÂsecurityÂserverÂandÂmakeÂitÂself-containedÂif > >>ÂssÂusedÂkernelÂfunction? > > > >TheÂoriginalÂsecurityÂserverÂcodeÂwasÂdevelopedÂforÂanotherÂOS > >(Fluke/Flask)ÂandÂthenÂportedÂtoÂLinux.ÂÂThereÂareÂaÂsmallÂnumberÂof > >fundamentalÂdependenciesÂonÂtheÂruntimeÂenvironment,ÂlikeÂmemory > >allocation,Âlogging/auditing,Âlocking,Âetc.ÂÂOverÂtime,ÂtheÂsecurity > >serverÂcodeÂinÂLinuxÂhasÂbecomeÂincreasinglyÂ"nativized"ÂforÂLinuxÂso > >youÂmayÂfindÂfurtherÂdependenciesÂinÂtheÂcurrentÂcode. > > > so, it's hard to modify ss to make it self-contained, right? > I just wonder if there is a security module without invoking kernel function > but to support flask, though kernel data is permitted... The libselinux provides a set of interfaces to invoke security server in kernel space. Please see the manpage of security_compute_av(3). The security_context_t as these arguments are just an alias of char *, so all you need to do is call this function with security context of subject/object with a set permissions to be asked. > Is AppArmor fit to my desire? It seems to me you walk away from where you want to go. :-) Thanks, -- NEC Europe Ltd, Global Competence Center KaiGai Kohei <kohei.kaigai@xxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
