* [refpolicy] Generation of FLASK entries
@ 2011-06-23 16:07 Martin Christian
2011-06-24 13:13 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Martin Christian @ 2011-06-23 16:07 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I'm trying to understand the process how the ref policy is built.
However, I'm wondering how you keep the flask entries up-to-date with
the kernel? To me it seems like you always use the fixed access vector
definitions from policy/flask, isn't it? This might cause the policy
being out of sync with the kernel, e. g.: Kernel 2.6.37 introduced the
permission syslog for class capabiliy2.
Regards,
Martin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOA2SiAAoJEGpTkDITRjmooFQIAMIlHA60M0fb8uZNJwbrQJmu
fU/JSsKM1gv7Hx1Hd4bcz48yY/9WT5Pop4v2T1K812sYcfwqR/nwAy9PsOQy2p34
QCUgN0EzbhV6rjcXb5mCeQuOW1wfTeXyTrMqhIiaenh+ePEZdvA6hPE6SnepjiMw
fVl9gyIMw0pCviX0abflJg0l+lJh86XVeLOikp9X6QG2mCUV0dgursXKe/yeiC9O
Vpm/DEL/B3qvAU9RE0EFsnHKNAg+BMfSaedlZm4igNmVo3KxjFYjDjDa1xhX6P7Y
oGNFkbJ+rhhAkzuDR96Sqvr/naLPyvdZfTA3b7X/AfdL8cAbMFb/bIywe6S6RjY=
=xZUX
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] Generation of FLASK entries
2011-06-23 16:07 [refpolicy] Generation of FLASK entries Martin Christian
@ 2011-06-24 13:13 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2011-06-24 13:13 UTC (permalink / raw)
To: refpolicy
On 06/23/11 12:07, Martin Christian wrote:
> I'm trying to understand the process how the ref policy is built.
> However, I'm wondering how you keep the flask entries up-to-date with
> the kernel? To me it seems like you always use the fixed access vector
> definitions from policy/flask, isn't it? This might cause the policy
> being out of sync with the kernel, e. g.: Kernel 2.6.37 introduced the
> permission syslog for class capabiliy2.
Yes, the in-policy flask definitions are used. It is possible to get
out of sync, but we're pretty good about getting the flask definitions
updated when new permissions are added. If you do come into the
situation where you have more permissions defined in your kernel than in
your policy, there is a configuration setting for these unknown
permissions. They can either be allowed, denied, or the policy loading
can be rejected. This setting is in the policy itself (see UNK_PERMS
setting in build.conf).
If there are more permissions in the policy than in the kernel, what
happens is kernel memory is wasted due to the unchecked permissions.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-06-24 13:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-23 16:07 [refpolicy] Generation of FLASK entries Martin Christian
2011-06-24 13:13 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.