From: Andy Warner <warner@rubix.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: adding objects classes and permissions to policy
Date: Fri, 17 Oct 2008 11:45:48 +0200 [thread overview]
Message-ID: <48F85ECC.108@rubix.com> (raw)
In-Reply-To: <1224186905.9247.141.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 1615 bytes --]
Stephen Smalley wrote:
> On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
>
>> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
>>
>>> When adding new object classes and permissions to SELinux policy is it
>>> necessary to re-create flask.h and av_permissions.h header files so
>>> that a user-space object manager can access the associated defines? If
>>> so, would someone give me some pointers as to how these are
>>> generated?
>>>
>> You should use the dynamic class/permission lookup facilities for any
>> new code. man selinux_set_mapping
>>
>> XSELinux and SE-PostgreSQL are already using it I believe.
>>
>
>
I can't find any evidence that my version of libselinux contains the
selinux_set_mapping function. I am using CentOS 5.1 with libselinux
version 1.33.4. I have been learning RHEL 5 tends to be a bit behind the
times with regards to SELinux functionality. Does libselinux 1.33.4 not
have the dynamic class/permission lookup facilities? If it does not, any
advice on how to add object classes / permissions to policy ? Moving to
Fedora is a possibility, maybe it's worth considering as this would not
be the first issue we have had with an outdated SELinux mechanism on
RHEL 5 (?). We are integrating SELinux TE / MLS with our commercial
DBMS, and I have learned that RHEL 5 does not have the database related
object classes /permissions in the base policy where the most recent
Fedora does, hence my need to add the object classes /permissions in RHEL 5.
> Example usage from XSELinux:
> http://marc.info/?l=selinux&m=118114723416269&w=2
>
>
[-- Attachment #2: Type: text/html, Size: 2343 bytes --]
next prev parent reply other threads:[~2008-10-17 9:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-16 19:40 adding objects classes and permissions to policy Andy Warner
2008-10-16 19:53 ` Stephen Smalley
2008-10-16 19:55 ` Stephen Smalley
2008-10-17 9:45 ` Andy Warner [this message]
2008-10-17 12:13 ` Stephen Smalley
2008-10-17 14:18 ` Andy Warner
2008-10-17 14:23 ` Stephen Smalley
2008-10-17 15:14 ` Andy Warner
2008-10-17 15:15 ` Stephen Smalley
2008-10-17 15:55 ` Protecting against inadvertent file copy Sanjai Narain
2008-10-17 17:14 ` Stephen Smalley
2008-10-17 19:13 ` Sanjai Narain
2008-10-16 20:02 ` adding objects classes and permissions to policy Xavier Toth
2008-10-16 20:06 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48F85ECC.108@rubix.com \
--to=warner@rubix.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.