* class kernel_service not defined in policy
@ 2008-12-30 5:56 ` Justin Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin Mattock @ 2008-12-30 5:56 UTC (permalink / raw)
To: tresys; +Cc: SE-Linux
Hello;
this was received when doing a git-pull
today from the linus tree.
class kernel_service not defined in policy
[ 0.000999] SELinux: Initializing.
[ 0.000999] SELinux: Starting in enforcing mode
[ 0.263823] SELinux: Registering netfilter hooks
[ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
sens, 256 cats
[ 2.525821] SELinux: 73 classes, 145624 rules
[ 2.540472] SELinux: class kernel_service not defined in policy
[ 2.548944] SELinux: the above unknown classes and permissions will be denied
[ 2.557235] SELinux: Completing initialization.
[ 2.565527] SELinux: Setting up existing superblocks.
[ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
[ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
uses genfs_contexts
[ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
transition SIDs
[ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
uses genfs_contexts
[ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
transition SIDs
[ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
uses genfs_contexts
[ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 2.778693] SELinux: initialized (dev anon_inodefs, type
anon_inodefs), uses genfs_contexts
[ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
[ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
genfs_contexts
[ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
[ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
[ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
[ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
genfs_contexts
[ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
[ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
[ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
I've been running the latest svn from tresys for(I think a week or so);
So the message might already be fixed.
regards;
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] class kernel_service not defined in policy
@ 2008-12-30 5:56 ` Justin Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin Mattock @ 2008-12-30 5:56 UTC (permalink / raw)
To: refpolicy
Hello;
this was received when doing a git-pull
today from the linus tree.
class kernel_service not defined in policy
[ 0.000999] SELinux: Initializing.
[ 0.000999] SELinux: Starting in enforcing mode
[ 0.263823] SELinux: Registering netfilter hooks
[ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
[ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
sens, 256 cats
[ 2.525821] SELinux: 73 classes, 145624 rules
[ 2.540472] SELinux: class kernel_service not defined in policy
[ 2.548944] SELinux: the above unknown classes and permissions will be denied
[ 2.557235] SELinux: Completing initialization.
[ 2.565527] SELinux: Setting up existing superblocks.
[ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
[ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
uses genfs_contexts
[ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
transition SIDs
[ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
uses genfs_contexts
[ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
transition SIDs
[ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
uses genfs_contexts
[ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 2.778693] SELinux: initialized (dev anon_inodefs, type
anon_inodefs), uses genfs_contexts
[ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
[ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
genfs_contexts
[ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
[ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
[ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
[ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
genfs_contexts
[ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
[ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
[ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
[ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
transition SIDs
I've been running the latest svn from tresys for(I think a week or so);
So the message might already be fixed.
regards;
--
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: class kernel_service not defined in policy
2008-12-30 5:56 ` [refpolicy] " Justin Mattock
@ 2008-12-30 18:13 ` David P. Quigley
-1 siblings, 0 replies; 10+ messages in thread
From: David P. Quigley @ 2008-12-30 18:13 UTC (permalink / raw)
To: Justin Mattock; +Cc: tresys, SE-Linux
On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
> Hello;
> this was received when doing a git-pull
> today from the linus tree.
> class kernel_service not defined in policy
>
>
> [ 0.000999] SELinux: Initializing.
> [ 0.000999] SELinux: Starting in enforcing mode
> [ 0.263823] SELinux: Registering netfilter hooks
> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
> sens, 256 cats
> [ 2.525821] SELinux: 73 classes, 145624 rules
> [ 2.540472] SELinux: class kernel_service not defined in policy
> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
> [ 2.557235] SELinux: Completing initialization.
> [ 2.565527] SELinux: Setting up existing superblocks.
> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
> uses genfs_contexts
> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
> transition SIDs
> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
> uses genfs_contexts
> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
> transition SIDs
> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
> uses genfs_contexts
> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
> anon_inodefs), uses genfs_contexts
> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
> genfs_contexts
> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
> genfs_contexts
> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
>
> I've been running the latest svn from tresys for(I think a week or so);
> So the message might already be fixed.
>
> regards;
So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
security tree into Linus's main tree. On of the patch sets in there is
the new credentials work from David Howells. One of those patches adds a
kernel service object class to selinux so policy can be written to all
that service to be granted the ability to override certain permission
checks. I just built a policy from refpolicy and the policy.conf doesn't
have a kernel_service object class. I'm not sure if the policy engine
uses the kernel headers, the dynamic object class discovery mechanism,
or a built in list to generate the boilerplate with all the object
classes and permissions. Regardless it is mainly so things like cachefs
and NFSD can be granted the ability to act as other entities when
making/fulfilling requests. I don't think there is a need to be
concerned about it yet unless something is no longer working for you.
Dave
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] class kernel_service not defined in policy
@ 2008-12-30 18:13 ` David P. Quigley
0 siblings, 0 replies; 10+ messages in thread
From: David P. Quigley @ 2008-12-30 18:13 UTC (permalink / raw)
To: refpolicy
On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
> Hello;
> this was received when doing a git-pull
> today from the linus tree.
> class kernel_service not defined in policy
>
>
> [ 0.000999] SELinux: Initializing.
> [ 0.000999] SELinux: Starting in enforcing mode
> [ 0.263823] SELinux: Registering netfilter hooks
> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
> sens, 256 cats
> [ 2.525821] SELinux: 73 classes, 145624 rules
> [ 2.540472] SELinux: class kernel_service not defined in policy
> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
> [ 2.557235] SELinux: Completing initialization.
> [ 2.565527] SELinux: Setting up existing superblocks.
> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
> uses genfs_contexts
> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
> transition SIDs
> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
> uses genfs_contexts
> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
> transition SIDs
> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
> uses genfs_contexts
> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
> anon_inodefs), uses genfs_contexts
> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
> genfs_contexts
> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
> genfs_contexts
> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
> transition SIDs
>
> I've been running the latest svn from tresys for(I think a week or so);
> So the message might already be fixed.
>
> regards;
So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
security tree into Linus's main tree. On of the patch sets in there is
the new credentials work from David Howells. One of those patches adds a
kernel service object class to selinux so policy can be written to all
that service to be granted the ability to override certain permission
checks. I just built a policy from refpolicy and the policy.conf doesn't
have a kernel_service object class. I'm not sure if the policy engine
uses the kernel headers, the dynamic object class discovery mechanism,
or a built in list to generate the boilerplate with all the object
classes and permissions. Regardless it is mainly so things like cachefs
and NFSD can be granted the ability to act as other entities when
making/fulfilling requests. I don't think there is a need to be
concerned about it yet unless something is no longer working for you.
Dave
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: class kernel_service not defined in policy
2008-12-30 18:13 ` [refpolicy] " David P. Quigley
@ 2008-12-30 21:59 ` Justin P. Mattock
-1 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2008-12-30 21:59 UTC (permalink / raw)
To: David P. Quigley; +Cc: tresys, SE-Linux
David P. Quigley wrote:
> On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
>
>> Hello;
>> this was received when doing a git-pull
>> today from the linus tree.
>> class kernel_service not defined in policy
>>
>>
>> [ 0.000999] SELinux: Initializing.
>> [ 0.000999] SELinux: Starting in enforcing mode
>> [ 0.263823] SELinux: Registering netfilter hooks
>> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
>> sens, 256 cats
>> [ 2.525821] SELinux: 73 classes, 145624 rules
>> [ 2.540472] SELinux: class kernel_service not defined in policy
>> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
>> [ 2.557235] SELinux: Completing initialization.
>> [ 2.565527] SELinux: Setting up existing superblocks.
>> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
>> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
>> uses genfs_contexts
>> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
>> transition SIDs
>> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
>> uses genfs_contexts
>> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
>> transition SIDs
>> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
>> uses genfs_contexts
>> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
>> anon_inodefs), uses genfs_contexts
>> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
>> genfs_contexts
>> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
>> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
>> genfs_contexts
>> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>>
>> I've been running the latest svn from tresys for(I think a week or so);
>> So the message might already be fixed.
>>
>> regards;
>>
>
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
>
> Dave
>
>
>
No worries, I figured it was better to send
a post, rather than to say nothing at all.
I did notice the commit, looks nice,
although the graphics module is broken
with the capability i.g. current_euid();
eventually in time that will be fixed.
As for the policy, everything seems good.
just one question what is UBAC
how to I use that? or is it something alse!
regards;
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] class kernel_service not defined in policy
@ 2008-12-30 21:59 ` Justin P. Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2008-12-30 21:59 UTC (permalink / raw)
To: refpolicy
David P. Quigley wrote:
> On Mon, 2008-12-29 at 21:56 -0800, Justin Mattock wrote:
>
>> Hello;
>> this was received when doing a git-pull
>> today from the linus tree.
>> class kernel_service not defined in policy
>>
>>
>> [ 0.000999] SELinux: Initializing.
>> [ 0.000999] SELinux: Starting in enforcing mode
>> [ 0.263823] SELinux: Registering netfilter hooks
>> [ 2.247051] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.343549] SELinux: 8192 avtab hash slots, 145624 rules.
>> [ 2.517323] SELinux: 7 users, 9 roles, 2684 types, 95 bools, 1
>> sens, 256 cats
>> [ 2.525821] SELinux: 73 classes, 145624 rules
>> [ 2.540472] SELinux: class kernel_service not defined in policy
>> [ 2.548944] SELinux: the above unknown classes and permissions will be denied
>> [ 2.557235] SELinux: Completing initialization.
>> [ 2.565527] SELinux: Setting up existing superblocks.
>> [ 2.601357] SELinux: initialized (dev sda1, type ext3), uses xattr
>> [ 2.729447] SELinux: initialized (dev selinuxfs, type selinuxfs),
>> uses genfs_contexts
>> [ 2.737693] SELinux: initialized (dev mqueue, type mqueue), uses
>> transition SIDs
>> [ 2.745982] SELinux: initialized (dev hugetlbfs, type hugetlbfs),
>> uses genfs_contexts
>> [ 2.754208] SELinux: initialized (dev devpts, type devpts), uses
>> transition SIDs
>> [ 2.762309] SELinux: initialized (dev inotifyfs, type inotifyfs),
>> uses genfs_contexts
>> [ 2.770475] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 2.778693] SELinux: initialized (dev anon_inodefs, type
>> anon_inodefs), uses genfs_contexts
>> [ 2.786995] SELinux: initialized (dev pipefs, type pipefs), uses task SIDs
>> [ 2.795429] SELinux: initialized (dev debugfs, type debugfs), uses
>> genfs_contexts
>> [ 2.803860] SELinux: initialized (dev sockfs, type sockfs), uses task SIDs
>> [ 2.812224] SELinux: initialized (dev proc, type proc), uses genfs_contexts
>> [ 2.820584] SELinux: initialized (dev bdev, type bdev), uses genfs_contexts
>> [ 2.828671] SELinux: initialized (dev rootfs, type rootfs), uses
>> genfs_contexts
>> [ 2.836629] SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts
>> [ 3.640416] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.778811] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 3.792920] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 8.328082] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>> [ 9.578021] SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts
>> [ 10.554482] SELinux: initialized (dev tmpfs, type tmpfs), uses
>> transition SIDs
>>
>> I've been running the latest svn from tresys for(I think a week or so);
>> So the message might already be fixed.
>>
>> regards;
>>
>
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
>
> Dave
>
>
>
No worries, I figured it was better to send
a post, rather than to say nothing at all.
I did notice the commit, looks nice,
although the graphics module is broken
with the capability i.g. current_euid();
eventually in time that will be fixed.
As for the policy, everything seems good.
just one question what is UBAC
how to I use that? or is it something alse!
regards;
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: class kernel_service not defined in policy
2008-12-30 18:13 ` [refpolicy] " David P. Quigley
@ 2008-12-30 23:36 ` Eric Paris
-1 siblings, 0 replies; 10+ messages in thread
From: Eric Paris @ 2008-12-30 23:36 UTC (permalink / raw)
To: David P. Quigley
Cc: Justin Mattock, tresys, SE-Linux, Christopher J. PeBenito
On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <dpquigl@tycho.nsa.gov> wrote:
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
It shouldn't be of concern to you. But refpolicy needs to add at
least the class (if not the perms) so it doesn't get assigned to
anything else...
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
Looks like it is class number 74 (and if it's already used in policy
we need to fix one or the other quickly....)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] class kernel_service not defined in policy
@ 2008-12-30 23:36 ` Eric Paris
0 siblings, 0 replies; 10+ messages in thread
From: Eric Paris @ 2008-12-30 23:36 UTC (permalink / raw)
To: refpolicy
On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <dpquigl@tycho.nsa.gov> wrote:
> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
> security tree into Linus's main tree. On of the patch sets in there is
> the new credentials work from David Howells. One of those patches adds a
> kernel service object class to selinux so policy can be written to all
> that service to be granted the ability to override certain permission
> checks. I just built a policy from refpolicy and the policy.conf doesn't
> have a kernel_service object class. I'm not sure if the policy engine
> uses the kernel headers, the dynamic object class discovery mechanism,
> or a built in list to generate the boilerplate with all the object
> classes and permissions. Regardless it is mainly so things like cachefs
> and NFSD can be granted the ability to act as other entities when
> making/fulfilling requests. I don't think there is a need to be
> concerned about it yet unless something is no longer working for you.
It shouldn't be of concern to you. But refpolicy needs to add at
least the class (if not the perms) so it doesn't get assigned to
anything else...
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
Looks like it is class number 74 (and if it's already used in policy
we need to fix one or the other quickly....)
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: class kernel_service not defined in policy
2008-12-30 23:36 ` [refpolicy] " Eric Paris
@ 2008-12-31 1:04 ` Justin P. Mattock
-1 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2008-12-31 1:04 UTC (permalink / raw)
To: Eric Paris; +Cc: David P. Quigley, tresys, SE-Linux, Christopher J. PeBenito
Eric Paris wrote:
> On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <dpquigl@tycho.nsa.gov> wrote:
>
>
>> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
>> security tree into Linus's main tree. On of the patch sets in there is
>> the new credentials work from David Howells. One of those patches adds a
>> kernel service object class to selinux so policy can be written to all
>> that service to be granted the ability to override certain permission
>> checks. I just built a policy from refpolicy and the policy.conf doesn't
>> have a kernel_service object class. I'm not sure if the policy engine
>> uses the kernel headers, the dynamic object class discovery mechanism,
>> or a built in list to generate the boilerplate with all the object
>> classes and permissions. Regardless it is mainly so things like cachefs
>> and NFSD can be granted the ability to act as other entities when
>> making/fulfilling requests. I don't think there is a need to be
>> concerned about it yet unless something is no longer working for you.
>>
>
> It shouldn't be of concern to you. But refpolicy needs to add at
> least the class (if not the perms) so it doesn't get assigned to
> anything else...
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
>
> Looks like it is class number 74 (and if it's already used in policy
> we need to fix one or the other quickly....)
>
>
No worries man!!
regards;
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] class kernel_service not defined in policy
@ 2008-12-31 1:04 ` Justin P. Mattock
0 siblings, 0 replies; 10+ messages in thread
From: Justin P. Mattock @ 2008-12-31 1:04 UTC (permalink / raw)
To: refpolicy
Eric Paris wrote:
> On Tue, Dec 30, 2008 at 1:13 PM, David P. Quigley <dpquigl@tycho.nsa.gov> wrote:
>
>
>> So commit bb26c6c29b7cc9f39e491b074b09f3c284738d36 is a merger of James'
>> security tree into Linus's main tree. On of the patch sets in there is
>> the new credentials work from David Howells. One of those patches adds a
>> kernel service object class to selinux so policy can be written to all
>> that service to be granted the ability to override certain permission
>> checks. I just built a policy from refpolicy and the policy.conf doesn't
>> have a kernel_service object class. I'm not sure if the policy engine
>> uses the kernel headers, the dynamic object class discovery mechanism,
>> or a built in list to generate the boilerplate with all the object
>> classes and permissions. Regardless it is mainly so things like cachefs
>> and NFSD can be granted the ability to act as other entities when
>> making/fulfilling requests. I don't think there is a need to be
>> concerned about it yet unless something is no longer working for you.
>>
>
> It shouldn't be of concern to you. But refpolicy needs to add at
> least the class (if not the perms) so it doesn't get assigned to
> anything else...
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1bfdc75ae077d60a01572a7781ec6264d55ab1b9
>
> Looks like it is class number 74 (and if it's already used in policy
> we need to fix one or the other quickly....)
>
>
No worries man!!
regards;
Justin P. Mattock
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2008-12-31 1:04 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-30 5:56 class kernel_service not defined in policy Justin Mattock
2008-12-30 5:56 ` [refpolicy] " Justin Mattock
2008-12-30 18:13 ` David P. Quigley
2008-12-30 18:13 ` [refpolicy] " David P. Quigley
2008-12-30 21:59 ` Justin P. Mattock
2008-12-30 21:59 ` [refpolicy] " Justin P. Mattock
2008-12-30 23:36 ` Eric Paris
2008-12-30 23:36 ` [refpolicy] " Eric Paris
2008-12-31 1:04 ` Justin P. Mattock
2008-12-31 1:04 ` [refpolicy] " Justin P. Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.