The policy is loaded into internal data structures during system
initialization (see security_load_policy and the functions it calls),
and the security server consults those data structures (see
security_compute_av and the functions it calls) to compute the allowed
permissions. The decisions are stored in the avd (struct av_decision)
returned by the security server to the AVC. You can trace through the
code, or read English descriptions in:
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
https://www.imperialviolet.org/2009/07/14/selinux.html
http://www.nsa.gov/research/_files/selinux/papers/slinux-abs.shtml
Yes. Security_compute_av calls context_struct_compute_av() which does other checks like MLS constraints, allow_unknown flags, etc. Post that, the access decisions are relayed. Thinking out loud here, I need to make changes to security_compute_av() to make changes in how SELinux calls for policy data structure/policy/pseudo filesystem. Am i correct?
Obviously some of these references are quite out of date but can still
be helpful in understanding the overall structure and flow.
You can infer it from the way I responded to your email; include the
> Question to mailing list head : While replying to mails in mailing list,
> should the email reply of people who replied me already be included or
> not? Thank you.
_relevant_ portions of the message to which you are responding, and
"bottom posting" rather than "top posting" is preferred. However, this
is increasingly counter to the defaults of modern email clients and
therefore you will see mixed practice, even by me.
Thank you. Will keep this in mind.
I hope this mail was correctly formatted. Thank you for your time.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
