From: "cto@itechfrontiers.com" <cto@itechfrontiers.com>
To: Behnaz Hassanshahi <behnaz.kallen@yahoo.com>
Cc: SELinux <selinux@tycho.nsa.gov>
Subject: Re: temporal role base access control in Linux
Date: Sun, 07 Nov 2010 09:39:52 -0500 [thread overview]
Message-ID: <4CD6BA38.10202@itechfrontiers.com> (raw)
In-Reply-To: <182838.53024.qm@web110814.mail.gq1.yahoo.com>
Hello,
avc_has perm() is for checking if permissions are granted or not
(Access Vector Cache),
A proper method of extending security functionality would be using LSM
APIs and SELinux Hooks (LSM: Linux Security Module)
http://www.nsa.gov/research/_files/selinux/papers/module/x280.shtml
But TRBAC can be simulated with SELinux even without writing specific
code or modifying SELinux, by combining appropriate predefined set of
policies and a scheduler process or hierarchical scheduler with enough
(higher) privileges to load policies on the fly,
Of course if such usage does not need atomic role/policy entry (I don't
see any practical use for such atomic role entry anyway)
You can find more on implementation here:
http://selinuxproject.org/page/NB_LSM
I'm sorry but with all due respects, I don't know if helping people in
Iran on the subject is legal or not (I'm not a Lawyer) but judging from
sources of your mail (which is Iran), I prefer not to be involved in any
particular help.
Anyway this is a project develped primarily by the National Security
Agency of the USA, and its contributors.
Yours,
Patrick K.
On 11/7/2010 7:20 AM, Behnaz Hassanshahi wrote:
> Hi,
> I want to enforce temporal role base access control to Fedora10
> platform. Therefore, I have written a piece of code which receives
> simple temporal policy rules and updates a file in which disallowed
> roles are being kept. In order to attach the code to the fedora core, I
> am making use of SELinux modules. I wonder if avc_has_perm(...) function
> in /libselinex/src/avc.c can be the right place for using my code where
> requests will be granted or denied access. Actually, I had thought about
> getting the role field from the security_id_t (@ssid) and compare it
> with the denied roles that my code computes. If I`m wrong and this will
> not work out, is there any other suggestions for attaching my code to
> SELinux?
>
> Best regards,
> Behnaz
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-11-07 14:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-07 12:20 temporal role base access control in Linux Behnaz Hassanshahi
2010-11-07 14:39 ` cto [this message]
2010-11-07 15:37 ` Cliffe
2010-11-07 16:31 ` cto
2010-11-07 16:50 ` Cliffe
2010-11-07 17:44 ` cto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CD6BA38.10202@itechfrontiers.com \
--to=cto@itechfrontiers.com \
--cc=behnaz.kallen@yahoo.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.