Re: What's a policy capability?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/21/14 18:21, Stephen Smalley wrote:

On 07/19/2014 04:03 AM, dE wrote:

I came cross this term and couldn't find much reference to it.

A mechanism for telling the kernel that your policy supports some new
feature/capability and therefore it is safe for the kernel to enable the
corresponding check/logic.  Used as a way of supporting new
checks/features in a backward-compatible manner:  old policies will not
have defined the policy capability for the new feature and therefore
will not enable the new check/logic by default, while new policies can
opt into or out of the new check/logic at their discretion.

ls /sys/fs/selinux/policy_capabilities will show the list of policy
capabilities known to your kernel, while cat
/sys/fs/selinux/policy_capabilities/<capability_name> will show whether
that capability was enabled (1) or disabled (0) in the currently loaded
policy.

seinfo --polcap will list enabled policy capabilities in the current or
specified policy.

The set of policy capabilities to be enabled in the policy is declared
in refpolicy/policy/policy_capabilities in the refpolicy source.

The kernel uses the value of specific policy capabilities to decide
whether to enable corresponding checks/logic in security/selinux/hooks.c
in the kernel source; look for tests of selinux_policycap_*.
These variables are set upon policy load by security_load_policycaps(),
loaded from a bitmap read from the policy file.


Ok, thanks for clarifying.
But just curious -- these new checks may not be not be backwards compatible? I mean if the kernel has enabled a policy feature, but the loaded policy does not have any such capability, then can it cause any problems?
Also the policy has a version, using that it's capabilities can be known to the kernel and it may enable disable the features based on that. So in this case, why is policy capability required? 
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux