Re: Security server responses always based on class?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: dE <de.techno@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: Security server responses always based on class?
Date: Fri, 11 Apr 2014 08:17:10 -0400	[thread overview]
Message-ID: <5347DD46.9060705@tycho.nsa.gov> (raw)
In-Reply-To: <53478F76.7040700@gmail.com>

On 04/11/2014 02:45 AM, dE wrote:
> Does the object manager always queries the security server based on
> classes? And does the security server always respond with an access vector?
> 
> OR
> 
> Can the object manager query the security server on specific permissions
> (which make up a class) without querying for a response for the whole
> security class?

The security server interface is security_compute_av(), which always
computes the entire access vector for the class.

Object managers however will typically call the Access Vector Cache
(AVC) interface avc_has_perm(), which checks particular permissions.
Internally, the AVC calls security_compute_av() if the access vector is
not already cached for the (source context, target context, target
class) triple and caches the result.

More recent work on userspace object managers has introduced a higher
level API, selinux_check_access(), which internally handles the mapping
of contexts to SIDs and the mapping of class and permission strings to
values and calls avc_has_perm().

All of these APIs are provided by libselinux and have corresponding man
pages.

next prev parent reply	other threads:[~2014-04-11 12:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-11  6:45 Security server responses always based on class? dE
2014-04-11 12:17 ` Stephen Smalley [this message]
2014-04-11 12:23   ` Stephen Smalley
2014-04-12  4:23     ` dE

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5347DD46.9060705@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=de.techno@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.