Is there any work going on the make it more granular? I did not see
it in the "Remaning Work" backlog. It is a generic problem and should
have a generic solution.
On 10/30/2014 06:06 PM, Stephen Smalley wrote:
On 10/30/2014 12:37 PM, peter enderborg wrote:
Hi! Im trying to see where the access control for some socket objects
occurs.
And it seems not to be very detailed resolution for sockets. For some
protocols there is NOTHING. I did a test. I created a own protocol.
AF_PEG_IPC.
This can be accessed without specific type definition or contexts. It
need socket access. In my system there is about 20 different protocols.
They are "all or nothing".
The question is how do I select which root task that can access
AF_PEG_IPC and who can not. In selinux root is supposed to be
in locked container.
SELinux applies a set of general socket permission checks (e.g. create,
bind, connect, ...) for all sockets, but it can only distinguish among
types of sockets for which security classes have been defined. All
other socket address families are lumped together into the generic
socket security class. If you want to be able to control this
AF_PEG_IPC separately, you need to introduce a security class for it.
See this similar answer on the seandroid-list,
http://marc.info/?l=seandroid-list&m=139056956927985&w=2
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
