From: Eamon Walsh <ewalsh@tycho.nsa.gov>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Xavier Toth <txtoth@gmail.com>,
SELinux Mail List <selinux@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
Eric Paris <eparis@parisplace.org>,
KaiGai Kohei <kaigai@kaigai.gr.jp>,
"Christopher J. PeBenito" <cpebenito@tresys.com>
Subject: Re: [PATCH] libselinux: new and updated man pages for AVC, mapping, label
Date: Fri, 13 Jun 2008 14:49:12 -0400 [thread overview]
Message-ID: <4852C128.30700@tycho.nsa.gov> (raw)
In-Reply-To: <1213367226.17842.346.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
[snip]
> One other question I have is what we should do about the flask.h
> definitions and string tables in libselinux. We obviously need to
> retain the legacy definitions for old userspace object managers, but we
> also have the old X definitions there and the db definitions. make
> LIBSELINUX_D=/path/to/libselinux tolib from refpolicy/policy/flask will
> install updated headers and string tables with the latest definitions
> but do we want them all now or just the legacy ones?
>
I think we need to start removing the userspace classes, starting with
the DB and X ones. Even for the legacy object managers, removing the
definitions won't break any binaries, just the source code compiling.
> I suppose partly that depends on whether we want to use newer object
> managers on older kernels that don't support the dynamic class/perm
> discovery mechanism.
>
I would argue no, given that X at least depends a lot on new kernel
features.
>
>> As a separate matter, we may want to discuss whether we are getting the
>> flexibility we hoped from this dynamic mapping. The other day I was
>> adding a new kernel class for experimentation purposes and inserted it
>> before the new X classes, thinking that this would be ok since they can
>> be dynamically looked up and thus don't require fixed indices. However,
>> when booting the resulting kernel with a stock policy, I found that the
>> kernel refused to load the policy because it saw a conflict between its
>> kernel definition for that class value (the new kernel class) and the
>> policy definition for that class value (the X class). Which would mean
>> that new kernels on legacy distros would break.
>>
Well I think the kernel needs to grow its own mapping support then.
--
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-06-13 18:49 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-12 18:38 dynamic security class and access vector lookup Xavier Toth
2008-06-12 18:48 ` Stephen Smalley
2008-06-12 19:05 ` Xavier Toth
2008-06-12 19:20 ` Stephen Smalley
2008-06-12 19:52 ` Stephen Smalley
2008-06-12 21:03 ` [PATCH] libselinux: new and updated man pages for AVC, mapping, label Eamon Walsh
2008-06-13 12:24 ` Stephen Smalley
2008-06-13 14:27 ` Stephen Smalley
2008-06-13 18:49 ` Eamon Walsh [this message]
2008-06-13 19:11 ` Stephen Smalley
2008-06-13 18:27 ` [PATCH] libselinux: new and updated man pages for AVC, mapping, label - try 2 Eamon Walsh
2008-06-13 18:35 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4852C128.30700@tycho.nsa.gov \
--to=ewalsh@tycho.nsa.gov \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=eparis@parisplace.org \
--cc=kaigai@kaigai.gr.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.