I was wondering if there is way to do automatic policy updates for SELinux at runtime. On similar lines, is there a means by which SELinux queries a "supervisor" in the userspace in case a policy violation is detected in enforcing mode. For example, lets say SELinux's initial policy (loaded during device boot) does not permit program X to read file Y. If SELinux is enforcing such a policy, X is not allowed to read Y (obviously). In this scenario, is there a way to allow SELinux ask a user-space decision maker program if Y could indeed be read by X? Maybe the user-space decision maker deems the file safe to be read.
Apologies if I am being a little vague here. To put my question in perspective, I am working on evaluating SELinux on Android and it is sometimes useful for the Android middleware (sitting on top of the Linux kernel) to interfere in kernel-level MAC e.g. SELinux. So, it would be useful to know if a communication channel between SELinux and the middleware could be established esp. wrt policy updates.
Any help is much appreciated.
Kind Regards,
Bhargava
On Tue, Nov 22, 2011 at 11:03 PM, Russell Coker <russell@xxxxxxxxxxxx> wrote:
On Wed, 23 Nov 2011, Bhargava Shastry <bshas3@xxxxxxxxx> wrote:To get the source for something on Ubuntu you should run
> between the two files. To do this, I need sources for Ubuntu-SELinux policy
> (in order to compile a policy.conf) . I have somehow not been able to
> locate the source for the policy binary that ubuntu uses (I looked in the
> /etc/selinux dir to no avail). Any ideas as to where I can find them?
> Alternatively, is there a tool to reverse engineer policy.conf from the
> policy binary (e.g. policy.24)?
"apt-get source PACKAGE".
Also you might find it better to use Debian SE Linux stuff instead of Ubuntu.
--
Bhargava Shastry
