From: Joshua Brindle <jbrindle@tresys.com>
To: SELinux <SELinux@tycho.nsa.gov>
Cc: SELinux-dev@tresys.com, Stephen Smalley <sds@tycho.nsa.gov>
Subject: ANN: userspace security server prototype
Date: Fri, 09 Dec 2005 15:58:52 -0500 [thread overview]
Message-ID: <4399F00C.7040106@tresys.com> (raw)
A prototype of the SELinux userspace security server has been released.
The userspace security server provides access decisions to userspace
object managers, rather than forcing them to use the kernel for access
control decisions. This version has several limitations and should not
be considered for production use. Those issues include:
- mls issues in the libsepol security server
- no setbool support (need to figure out access control on booleans)
- no load policy support (policy loaded at startup)
- no enforcement on setenforce
- no routing is done, all userspace requests go to the USS if it is
enabled, unless the USS cannot be contacted, this is to allow a system
to boot up properly and will be addressed
To test the uss check out the cvs module with:
cvs -z3
-d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/sepolicy-server co -P uss
make and install the tree (it was synchronized with the nsa tree on
2005-12-08). Then add the following to /etc/selinux/config
[ss]
name=uss
location=/var/run/uss
update=/var/run/uss-update
and copy the uss.conf from the uss directory to /etc/selinux (and change
any options you want)
finally, run ./uss and use any userspace object manager to see the results.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
reply other threads:[~2005-12-09 20:58 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4399F00C.7040106@tresys.com \
--to=jbrindle@tresys.com \
--cc=SELinux-dev@tresys.com \
--cc=SELinux@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.