Re: question about basic selinux concept

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,
Is there any documentation on which LSM hook function is responsible for sending the request to the security server and the function responsible for relaying the decision of the security server to the LSM enforcement hooks?

Thank you   


On Thu, Jan 2, 2014 at 3:53 AM, Russell Coker <russell@xxxxxxxxxxxx> wrote:
On Thu, 2 Jan 2014, bigclouds <bigclouds@xxxxxxx> wrote:
> there are not many document  about internal of selinux on the internet.
> could you answer my  questions, thanks
> # ps -eZ | grep qemu-kvm
> system_u:system_r:svirt_t:s0:c87,c520 27950 ? 00:00:17 qemu-kvm
>
> 1.there, svirt_t is a domain or a type? how to create a new type , just a
> sample is ok

In the way that SE Linux works internally there isn't a difference.  With the
way the policy is written the attribute "domain" is applied to any type that
can be used for labelling a process.

#
# init_t is the domain of the init process.
#
type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;

Above is a snippet from init.te.  It creates the "type" (where the word
applies to a policy language keyword) init_t and then uses the interface
"domain_type" to give it the attribute "domain".

> 2.how to know   how much authority  , on how many files,dirs,sockets....
> the process of qemu-kvm  has? is there a command to show that?

The commands "apol" and "sesearch" allow you to discover that.

> 3. s0, if it can be s1,s2....(images have the same s*), if i do so , any
> other requirement? if  type is targeted, if targeted has only one level,
> s0?   in targeted case, s1,s2...is not valid?

s1 only exists if you use the MLS (Multi Level Security) policy, which you
almost certainly aren't using (it's an advanced feature and not enabled by
default in any distribution you are likely to use).

That level field in the label is also used by MCS (Multi Category Security)
which allows values such as "s0:c0" and "s0:c0,c3".  Feel free to experiment
with that, you can use the command "runcon" to launch a process with a
different level and see what access it is permitted to have to files of
different level.

> 4.what does s(sensitive) and c(class) mean?

For MCS it's only s0 so it means nothing for you.  MLS is more complex, master
MCS first.

> 5. there are two class, c520,c87.   what is the upper limit of class
> amount.

The categories (not classes) are numbered from c0 to c1023, there are 1024 of
them but this is a policy compilation choice, you could rebuild the policy and
use more or less.  In MCS to read a file a process needs to have every
category that the file has (or it needs to be in a domain that can override
the MCS controls).

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux