Re: Interoperation with SELinux

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca.com>
To: Robert Mykland <robert@ascenium.com>
Cc: linux-security-module@vger.kernel.org,
	Casey Schaufler <casey@schaufler-ca.com>,
	SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Interoperation with SELinux
Date: Mon, 06 Apr 2009 20:16:23 -0700	[thread overview]
Message-ID: <49DAC587.5000400@schaufler-ca.com> (raw)
In-Reply-To: <49DA8BE2.2040302@ascenium.com>

Robert Mykland wrote:
> Gentlemen,
>
> I am trying to write something that will allow only a particular
> application to access a particular block device in the system, except
> that maybe directory reads are allowed.  It seems clear that this
> would be simple to do as a security module, but SELinux is also used
> on the system I'm writing this for.  Reading the archives, it seems as
> though there's currently no way to write a security module that will
> interoperate with the SELinux security module.  Am I wrong?

No, you are correct. Stacking of Linux Security Modules (LSMs) is not
supported and the notion is currently out of favor.

>
> From my untutored perusal of the SELinux docs, I'm also getting the
> sense that I couldn't write this into an SELinux profile of some sort.

At the risk of sounding sarcastic (I'm the leader of the Loyal Opposition
to SELinux) I suspect that there is a way to do it using SELinux policy,
but that attempting it may require significant policy development skills.
You might take your question to the SELinux mailing list (I've cc'ed it
for you) as that's likely to be your best resource on this. Good luck.


>
> Your thoughts on this would be greatly appreciated.
>
> -- Robert.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

          parent reply	other threads:[~2009-04-07  3:16 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <49DA8BE2.2040302@ascenium.com>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=49DAC587.5000400@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=robert@ascenium.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.