On Mon, 2008-01-14 at 14:06 +0000, David Howells wrote:
quoted text
> David Howells <dhowells@redhat.com> wrote:
> 
> > Okay...  It looks like I want four security operations/hooks for cachefiles:
> 
> FYI, I added the following vectors:
> 
> 	# kernel services that need to override task security
> 	class kernel_service
> 	{
> 		use_as_override
> 		create_files_as
> 	}
> 
> The first allows:
> 
> 	avc_has_perm(daemon_tsec->sid, nominated_sid,
> 		     SECCLASS_KERNEL_SERVICE,
> 		     KERNEL_SERVICE__USE_AS_OVERRIDE,
> 		     NULL);
> 
> And the second something like:
> 
> 	avc_has_perm(tsec->sid, inode->sid,
> 		     SECCLASS_KERNEL_SERVICE,
> 		     KERNEL_SERVICE__CREATE_FILES_AS,
> 		     NULL);
> 
> Rather than specifically dedicating them to the cache, I made them general.

Make sure that you or Dan submits a policy patch to register these
classes and permissions in the policy when the kernel patch is queued
for merge.

-- 
Stephen Smalley
National Security Agency

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/