From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: selinux@tycho.nsa.gov
Subject: Limitations in modular policy
Date: Tue, 08 Sep 2009 09:55:15 +0900 [thread overview]
Message-ID: <4AA5AB73.6050306@ak.jp.nec.com> (raw)
Is there any good reason why the current modular policy doesn't, cannot
or shouldn't support to contain definitions of object classes and its
access vectors except for the base policy?
For example, it seems to me reasonable to have the following statement
to support experimental object classes and access vectors.
--------------------------------
policy_module(sepostgresql-devel, 1.23)
gen_require(`
class db_database all_db_database_perms;
attribute sepgsql_unconfined_type;
type sepgsql_db_t;
')
## 1. Add an experimental access vector
class db_database { superuser };
## 2. Add an experimental object class
class db_schema
inherits database
{
search
add_name
remove_name
};
## 3. Add an experimental MLS/MCS rules
ifdef(`enable_mcs',`
mlsconstrain db_database { superuser }
( h1 dom h2 );
mlsconstrain db_schema { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain db_schema { drop getattr setattr relabelfrom search add_name remove_name }
( h1 dom h2 );
')
ifdef(`enable_mls`,`
:
<snip>
:
')
## 4. avtab rules currently supported
type sepgsql_schema_t;
allow sepgsql_unconfined_type sepgsql_db_t : db_database *;
allow sepgsql_unconfined_type sepgsql_schema_t : db_schema *;
--------------------------------
Currently, SE-PostgreSQL has several experimental object classes and access
vectors (such as db_schema class and db_database:{superuser}), but we will
need more several months to fix its specifications at least, because progress
in the pgsql-hackers too slow.
So, we must replace the standard selinux-policy package to run it with full
functionalities, but it will get troubled for each "yum update".
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2009-09-08 0:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-08 0:55 KaiGai Kohei [this message]
2009-09-08 15:20 ` Limitations in modular policy Stephen Smalley
2009-09-09 0:28 ` KaiGai Kohei
2009-09-09 13:00 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AA5AB73.6050306@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.