adding objects classes and permissions to policy

adding objects classes and permissions to policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 300 bytes --]


When adding new object classes and permissions to SELinux policy is it 
necessary to re-create flask.h and av_permissions.h header files so that 
a user-space object manager can access the associated defines? If so, 
would someone give me some pointers as to how these are generated?

Thanks,

Andy

[-- Attachment #2: Type: text/html, Size: 491 bytes --]

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
> 
> When adding new object classes and permissions to SELinux policy is it
> necessary to re-create flask.h and av_permissions.h header files so
> that a user-space object manager can access the associated defines? If
> so, would someone give me some pointers as to how these are
> generated? 

You should use the dynamic class/permission lookup facilities for any
new code.  man selinux_set_mapping

XSELinux and SE-PostgreSQL are already using it I believe.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
> > 
> > When adding new object classes and permissions to SELinux policy is it
> > necessary to re-create flask.h and av_permissions.h header files so
> > that a user-space object manager can access the associated defines? If
> > so, would someone give me some pointers as to how these are
> > generated? 
> 
> You should use the dynamic class/permission lookup facilities for any
> new code.  man selinux_set_mapping
> 
> XSELinux and SE-PostgreSQL are already using it I believe.

Example usage from XSELinux:
http://marc.info/?l=selinux&m=118114723416269&w=2

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Xavier Toth]

On Thu, Oct 16, 2008 at 2:40 PM, Andy Warner <warner@rubix.com> wrote:
>
> When adding new object classes and permissions to SELinux policy is it
> necessary to re-create flask.h and av_permissions.h header files so that a
> user-space object manager can access the associated defines? If so, would
> someone give me some pointers as to how these are generated?
>
> Thanks,
>
> Andy
>
This might help:
http://selinuxproject.org/page/Adding_New_Permissions

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Thu, 2008-10-16 at 15:02 -0500, Xavier Toth wrote:
> On Thu, Oct 16, 2008 at 2:40 PM, Andy Warner <warner@rubix.com> wrote:
> >
> > When adding new object classes and permissions to SELinux policy is it
> > necessary to re-create flask.h and av_permissions.h header files so that a
> > user-space object manager can access the associated defines? If so, would
> > someone give me some pointers as to how these are generated?
> >
> > Thanks,
> >
> > Andy
> >
> This might help:
> http://selinuxproject.org/page/Adding_New_Permissions

Deprecated for userspace object managers, should only be followed for
kernel classes/permissions.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 1615 bytes --]



Stephen Smalley wrote:
> On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
>   
>> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
>>     
>>> When adding new object classes and permissions to SELinux policy is it
>>> necessary to re-create flask.h and av_permissions.h header files so
>>> that a user-space object manager can access the associated defines? If
>>> so, would someone give me some pointers as to how these are
>>> generated? 
>>>       
>> You should use the dynamic class/permission lookup facilities for any
>> new code.  man selinux_set_mapping
>>
>> XSELinux and SE-PostgreSQL are already using it I believe.
>>     
>
>   
I can't find any evidence that my version of libselinux contains the 
selinux_set_mapping function. I am using CentOS 5.1 with libselinux 
version 1.33.4. I have been learning RHEL 5 tends to be a bit behind the 
times with regards to SELinux functionality. Does libselinux 1.33.4 not 
have the dynamic class/permission lookup facilities? If it does not, any 
advice on how to add object classes / permissions to policy ? Moving to 
Fedora is a possibility, maybe it's worth considering as this would not 
be the first issue we have had with an outdated SELinux mechanism on 
RHEL 5 (?). We are integrating SELinux TE / MLS with our commercial 
DBMS, and I have learned that RHEL 5 does not have the database related 
object classes /permissions in the base policy where the most recent 
Fedora does, hence my need to add the object classes /permissions in RHEL 5.

> Example usage from XSELinux:
> http://marc.info/?l=selinux&m=118114723416269&w=2
>
>   

[-- Attachment #2: Type: text/html, Size: 2343 bytes --]

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
> 
> 
> Stephen Smalley wrote: 
> > On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
> >   
> > > On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
> > >     
> > > > When adding new object classes and permissions to SELinux policy is it
> > > > necessary to re-create flask.h and av_permissions.h header files so
> > > > that a user-space object manager can access the associated defines? If
> > > > so, would someone give me some pointers as to how these are
> > > > generated? 
> > > >       
> > > You should use the dynamic class/permission lookup facilities for any
> > > new code.  man selinux_set_mapping
> > > 
> > > XSELinux and SE-PostgreSQL are already using it I believe.
> > >     
> > 
> >   
> I can't find any evidence that my version of libselinux contains the
> selinux_set_mapping function. I am using CentOS 5.1 with libselinux
> version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
> the times with regards to SELinux functionality. Does libselinux
> 1.33.4 not have the dynamic class/permission lookup facilities? If it
> does not, any advice on how to add object classes / permissions to
> policy ? Moving to Fedora is a possibility, maybe it's worth
> considering as this would not be the first issue we have had with an
> outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
> TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
> not have the database related object classes /permissions in the base
> policy where the most recent Fedora does, hence my need to add the
> object classes /permissions in RHEL 5.

To use the object class/perm discovery support, you'd need to use a
modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).

Note that regardless of whether you use object class/permission
discovery support, you have to add the classes and permissions to the
policy flask definitions and rebuild your policy.  The object class/perm
discovery support just changes how the object manager obtains the values
- whether they are hardcoded into it or dynamically looked up at object
manager startup.  But the policy itself still needs to be taught about
them.

As Ted said, the old way to teach libselinux about new classes/perms is
described in:
http://selinuxproject.org/page/Adding_New_Permissions

After updating the policy/flask files, you run make in the flask
subdirectory (different Makefile than the policy build one) and it will
regenerate the header files that are used by libselinux and by the
kernel.  Then you can install the libselinux ones into a libselinux
source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
rebuild your libselinux.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 3387 bytes --]



Stephen Smalley wrote:
> On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
>   
>> Stephen Smalley wrote: 
>>     
>>> On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
>>>   
>>>       
>>>> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
>>>>     
>>>>         
>>>>> When adding new object classes and permissions to SELinux policy is it
>>>>> necessary to re-create flask.h and av_permissions.h header files so
>>>>> that a user-space object manager can access the associated defines? If
>>>>> so, would someone give me some pointers as to how these are
>>>>> generated? 
>>>>>       
>>>>>           
>>>> You should use the dynamic class/permission lookup facilities for any
>>>> new code.  man selinux_set_mapping
>>>>
>>>> XSELinux and SE-PostgreSQL are already using it I believe.
>>>>     
>>>>         
>>>   
>>>       
>> I can't find any evidence that my version of libselinux contains the
>> selinux_set_mapping function. I am using CentOS 5.1 with libselinux
>> version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
>> the times with regards to SELinux functionality. Does libselinux
>> 1.33.4 not have the dynamic class/permission lookup facilities? If it
>> does not, any advice on how to add object classes / permissions to
>> policy ? Moving to Fedora is a possibility, maybe it's worth
>> considering as this would not be the first issue we have had with an
>> outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
>> TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
>> not have the database related object classes /permissions in the base
>> policy where the most recent Fedora does, hence my need to add the
>> object classes /permissions in RHEL 5.
>>     
>
> To use the object class/perm discovery support, you'd need to use a
> modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).
>
> Note that regardless of whether you use object class/permission
> discovery support, you have to add the classes and permissions to the
> policy flask definitions and rebuild your policy.  The object class/perm
> discovery support just changes how the object manager obtains the values
> - whether they are hardcoded into it or dynamically looked up at object
> manager startup.  But the policy itself still needs to be taught about
> them.
>
> As Ted said, the old way to teach libselinux about new classes/perms is
> described in:
> http://selinuxproject.org/page/Adding_New_Permissions
>
> After updating the policy/flask files, you run make in the flask
> subdirectory (different Makefile than the policy build one) and it will
> regenerate the header files that are used by libselinux and by the
> kernel.  Then you can install the libselinux ones into a libselinux
> source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
> rebuild your libselinux.
>
>   
When I install our product on a fresh machine in addition to the actual 
product and the new policy files, will I also need to install a new 
version of the libselinux libraries? I assume that the linux kernel 
needs to somehow access the new object class / permissions defines (I'm 
guessing there is a potential for pre-existing defines to change through 
my policy rebuild), would that be through the shared libselinux 
libraries? Kernel rebuild? (Mucking with Linux itself is way out of my 
area of knowledge.)


[-- Attachment #2: Type: text/html, Size: 4047 bytes --]

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Fri, 2008-10-17 at 16:18 +0200, Andy Warner wrote:
> 
> 
> Stephen Smalley wrote: 
> > On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
> >   
> > > Stephen Smalley wrote: 
> > >     
> > > > On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
> > > >   
> > > >       
> > > > > On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
> > > > >     
> > > > >         
> > > > > > When adding new object classes and permissions to SELinux policy is it
> > > > > > necessary to re-create flask.h and av_permissions.h header files so
> > > > > > that a user-space object manager can access the associated defines? If
> > > > > > so, would someone give me some pointers as to how these are
> > > > > > generated? 
> > > > > >       
> > > > > >           
> > > > > You should use the dynamic class/permission lookup facilities for any
> > > > > new code.  man selinux_set_mapping
> > > > > 
> > > > > XSELinux and SE-PostgreSQL are already using it I believe.
> > > > >     
> > > > >         
> > > I can't find any evidence that my version of libselinux contains the
> > > selinux_set_mapping function. I am using CentOS 5.1 with libselinux
> > > version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
> > > the times with regards to SELinux functionality. Does libselinux
> > > 1.33.4 not have the dynamic class/permission lookup facilities? If it
> > > does not, any advice on how to add object classes / permissions to
> > > policy ? Moving to Fedora is a possibility, maybe it's worth
> > > considering as this would not be the first issue we have had with an
> > > outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
> > > TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
> > > not have the database related object classes /permissions in the base
> > > policy where the most recent Fedora does, hence my need to add the
> > > object classes /permissions in RHEL 5.
> > >     
> > 
> > To use the object class/perm discovery support, you'd need to use a
> > modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).
> > 
> > Note that regardless of whether you use object class/permission
> > discovery support, you have to add the classes and permissions to the
> > policy flask definitions and rebuild your policy.  The object class/perm
> > discovery support just changes how the object manager obtains the values
> > - whether they are hardcoded into it or dynamically looked up at object
> > manager startup.  But the policy itself still needs to be taught about
> > them.
> > 
> > As Ted said, the old way to teach libselinux about new classes/perms is
> > described in:
> > http://selinuxproject.org/page/Adding_New_Permissions
> > 
> > After updating the policy/flask files, you run make in the flask
> > subdirectory (different Makefile than the policy build one) and it will
> > regenerate the header files that are used by libselinux and by the
> > kernel.  Then you can install the libselinux ones into a libselinux
> > source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
> > rebuild your libselinux.
> > 
> >   
> When I install our product on a fresh machine in addition to the
> actual product and the new policy files, will I also need to install a
> new version of the libselinux libraries?

Yes (when using the old way).

>  I assume that the linux kernel needs to somehow access the new object
> class / permissions defines (I'm guessing there is a potential for
> pre-existing defines to change through my policy rebuild), would that
> be through the shared libselinux libraries? Kernel rebuild? (Mucking
> with Linux itself is way out of my area of knowledge.)

No, the kernel doesn't need userspace object class/perm definitions,
because it never references them itself.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: adding objects classes and permissions to policy

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 4565 bytes --]



Stephen Smalley wrote:
> On Fri, 2008-10-17 at 16:18 +0200, Andy Warner wrote:
>   
>> Stephen Smalley wrote: 
>>     
>>> On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
>>>   
>>>       
>>>> Stephen Smalley wrote: 
>>>>     
>>>>         
>>>>> On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
>>>>>>     
>>>>>>         
>>>>>>             
>>>>>>> When adding new object classes and permissions to SELinux policy is it
>>>>>>> necessary to re-create flask.h and av_permissions.h header files so
>>>>>>> that a user-space object manager can access the associated defines? If
>>>>>>> so, would someone give me some pointers as to how these are
>>>>>>> generated? 
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> You should use the dynamic class/permission lookup facilities for any
>>>>>> new code.  man selinux_set_mapping
>>>>>>
>>>>>> XSELinux and SE-PostgreSQL are already using it I believe.
>>>>>>     
>>>>>>         
>>>>>>             
>>>> I can't find any evidence that my version of libselinux contains the
>>>> selinux_set_mapping function. I am using CentOS 5.1 with libselinux
>>>> version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
>>>> the times with regards to SELinux functionality. Does libselinux
>>>> 1.33.4 not have the dynamic class/permission lookup facilities? If it
>>>> does not, any advice on how to add object classes / permissions to
>>>> policy ? Moving to Fedora is a possibility, maybe it's worth
>>>> considering as this would not be the first issue we have had with an
>>>> outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
>>>> TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
>>>> not have the database related object classes /permissions in the base
>>>> policy where the most recent Fedora does, hence my need to add the
>>>> object classes /permissions in RHEL 5.
>>>>     
>>>>         
>>> To use the object class/perm discovery support, you'd need to use a
>>> modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).
>>>
>>> Note that regardless of whether you use object class/permission
>>> discovery support, you have to add the classes and permissions to the
>>> policy flask definitions and rebuild your policy.  The object class/perm
>>> discovery support just changes how the object manager obtains the values
>>> - whether they are hardcoded into it or dynamically looked up at object
>>> manager startup.  But the policy itself still needs to be taught about
>>> them.
>>>
>>> As Ted said, the old way to teach libselinux about new classes/perms is
>>> described in:
>>> http://selinuxproject.org/page/Adding_New_Permissions
>>>
>>> After updating the policy/flask files, you run make in the flask
>>> subdirectory (different Makefile than the policy build one) and it will
>>> regenerate the header files that are used by libselinux and by the
>>> kernel.  Then you can install the libselinux ones into a libselinux
>>> source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
>>> rebuild your libselinux.
>>>
>>>   
>>>       
>> When I install our product on a fresh machine in addition to the
>> actual product and the new policy files, will I also need to install a
>> new version of the libselinux libraries?
>>     
>
> Yes (when using the old way).
>
>   
>>  I assume that the linux kernel needs to somehow access the new object
>> class / permissions defines (I'm guessing there is a potential for
>> pre-existing defines to change through my policy rebuild), would that
>> be through the shared libselinux libraries? Kernel rebuild? (Mucking
>> with Linux itself is way out of my area of knowledge.)
>>     
>
> No, the kernel doesn't need userspace object class/perm definitions,
> because it never references them itself.
>   
My concern was not that the kernel would need to access my userspace 
object class/perm definitions but that through creating a new flask.h I 
would change the definitions of pre-existing object classes. For 
instance, my current flask.h has:

#define SECCLASS_FILE   6

If after I generated a new flask.h this somehow changed to:

#define SECCLASS_FILE   7

I would think this could cause an issue with the kernel if it uses the 
SECCLASS_FILE define in code built with the original flask.h. Is this 
possible or are the pre-existing kernel object class defines guarenteed 
to be consistent accross policy builds which have new object class 
definitions?


[-- Attachment #2: Type: text/html, Size: 5378 bytes --]

Re: adding objects classes and permissions to policy

[Stephen Smalley]

On Fri, 2008-10-17 at 17:14 +0200, Andy Warner wrote:
> 
> 
> Stephen Smalley wrote: 
> > On Fri, 2008-10-17 at 16:18 +0200, Andy Warner wrote:
> >   
> > > Stephen Smalley wrote: 
> > >     
> > > > On Fri, 2008-10-17 at 11:45 +0200, Andy Warner wrote:
> > > >   
> > > >       
> > > > > Stephen Smalley wrote: 
> > > > >     
> > > > >         
> > > > > > On Thu, 2008-10-16 at 15:53 -0400, Stephen Smalley wrote:
> > > > > >   
> > > > > >       
> > > > > >           
> > > > > > > On Thu, 2008-10-16 at 21:40 +0200, Andy Warner wrote:
> > > > > > >     
> > > > > > >         
> > > > > > >             
> > > > > > > > When adding new object classes and permissions to SELinux policy is it
> > > > > > > > necessary to re-create flask.h and av_permissions.h header files so
> > > > > > > > that a user-space object manager can access the associated defines? If
> > > > > > > > so, would someone give me some pointers as to how these are
> > > > > > > > generated? 
> > > > > > > >       
> > > > > > > >           
> > > > > > > >               
> > > > > > > You should use the dynamic class/permission lookup facilities for any
> > > > > > > new code.  man selinux_set_mapping
> > > > > > > 
> > > > > > > XSELinux and SE-PostgreSQL are already using it I believe.
> > > > > > >     
> > > > > > >         
> > > > > > >             
> > > > > I can't find any evidence that my version of libselinux contains the
> > > > > selinux_set_mapping function. I am using CentOS 5.1 with libselinux
> > > > > version 1.33.4. I have been learning RHEL 5 tends to be a bit behind
> > > > > the times with regards to SELinux functionality. Does libselinux
> > > > > 1.33.4 not have the dynamic class/permission lookup facilities? If it
> > > > > does not, any advice on how to add object classes / permissions to
> > > > > policy ? Moving to Fedora is a possibility, maybe it's worth
> > > > > considering as this would not be the first issue we have had with an
> > > > > outdated SELinux mechanism on RHEL 5 (?). We are integrating SELinux
> > > > > TE / MLS with our commercial DBMS, and I have learned that RHEL 5 does
> > > > > not have the database related object classes /permissions in the base
> > > > > policy where the most recent Fedora does, hence my need to add the
> > > > > object classes /permissions in RHEL 5.
> > > > >     
> > > > >         
> > > > To use the object class/perm discovery support, you'd need to use a
> > > > modern libselinux (>= 2.0.21) and a modern kernel (>= 2.6.23).
> > > > 
> > > > Note that regardless of whether you use object class/permission
> > > > discovery support, you have to add the classes and permissions to the
> > > > policy flask definitions and rebuild your policy.  The object class/perm
> > > > discovery support just changes how the object manager obtains the values
> > > > - whether they are hardcoded into it or dynamically looked up at object
> > > > manager startup.  But the policy itself still needs to be taught about
> > > > them.
> > > > 
> > > > As Ted said, the old way to teach libselinux about new classes/perms is
> > > > described in:
> > > > http://selinuxproject.org/page/Adding_New_Permissions
> > > > 
> > > > After updating the policy/flask files, you run make in the flask
> > > > subdirectory (different Makefile than the policy build one) and it will
> > > > regenerate the header files that are used by libselinux and by the
> > > > kernel.  Then you can install the libselinux ones into a libselinux
> > > > source tree via make LIBSELINUX_D=/path/to/libselinux tolib, and then
> > > > rebuild your libselinux.
> > > > 
> > > >   
> > > >       
> > > When I install our product on a fresh machine in addition to the
> > > actual product and the new policy files, will I also need to install a
> > > new version of the libselinux libraries?
> > >     
> > 
> > Yes (when using the old way).
> > 
> >   
> > > I assume that the linux kernel needs to somehow access the new object
> > > class / permissions defines (I'm guessing there is a potential for
> > > pre-existing defines to change through my policy rebuild), would that
> > > be through the shared libselinux libraries? Kernel rebuild? (Mucking
> > > with Linux itself is way out of my area of knowledge.)
> > >     
> > 
> > No, the kernel doesn't need userspace object class/perm definitions,
> > because it never references them itself.
> >   
> My concern was not that the kernel would need to access my userspace
> object class/perm definitions but that through creating a new flask.h
> I would change the definitions of pre-existing object classes. For
> instance, my current flask.h has:
> 
> #define SECCLASS_FILE   6
> 
> If after I generated a new flask.h this somehow changed to:
> 
> #define SECCLASS_FILE   7
> 
> I would think this could cause an issue with the kernel if it uses the
> SECCLASS_FILE define in code built with the original flask.h. Is this
> possible or are the pre-existing kernel object class defines
> guarenteed to be consistent accross policy builds which have new
> object class definitions?

You have to add new classes to the end of security_classes.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Protecting against inadvertent file copy

[Sanjai Narain]

Hello: I am just getting started with SELinux, and would very much 
appreciate an answer to the following question:

Suppose there is a directory ftp_dir. If one wants to allow ftp of one's 
file to the outside world, one places it in ftp_dir. Suppose there is 
also a directory private_dir. One wants to prevent copying of any file 
in that directory into ftp_dir. In particular, one wants to say "do not 
allow cp from private_dir to ftp_dir". How would one go about expressing 
this in SELinux?

Thanks. -- Sanjai




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Protecting against inadvertent file copy

[Stephen Smalley]

On Fri, 2008-10-17 at 11:55 -0400, Sanjai Narain wrote:
> Hello: I am just getting started with SELinux, and would very much 
> appreciate an answer to the following question:
> 
> Suppose there is a directory ftp_dir. If one wants to allow ftp of one's 
> file to the outside world, one places it in ftp_dir. Suppose there is 
> also a directory private_dir. One wants to prevent copying of any file 
> in that directory into ftp_dir. In particular, one wants to say "do not 
> allow cp from private_dir to ftp_dir". How would one go about expressing 
> this in SELinux?

By labeling the two directories with two different types, and defining
the roles/domains such that no domain can both read from private_dir and
write to ftp_dir.  If you want to be strict about it, you'd further have
to ensure that there is no path by which information from private_dir
can eventually flow to ftp_dir, e.g. by copying it first into some
shared directory and then from there to ftp_dir.  apol will show
information flow paths among types.
 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Protecting against inadvertent file copy

[Sanjai Narain]

Hi Steve: Thanks very much! Best regards. -- Sanjai

Stephen Smalley wrote:
> On Fri, 2008-10-17 at 11:55 -0400, Sanjai Narain wrote:
>   
>> Hello: I am just getting started with SELinux, and would very much 
>> appreciate an answer to the following question:
>>
>> Suppose there is a directory ftp_dir. If one wants to allow ftp of one's 
>> file to the outside world, one places it in ftp_dir. Suppose there is 
>> also a directory private_dir. One wants to prevent copying of any file 
>> in that directory into ftp_dir. In particular, one wants to say "do not 
>> allow cp from private_dir to ftp_dir". How would one go about expressing 
>> this in SELinux?
>>     
>
> By labeling the two directories with two different types, and defining
> the roles/domains such that no domain can both read from private_dir and
> write to ftp_dir.  If you want to be strict about it, you'd further have
> to ensure that there is no path by which information from private_dir
> can eventually flow to ftp_dir, e.g. by copying it first into some
> shared directory and then from there to ftp_dir.  apol will show
> information flow paths among types.
>  
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.