On Wed, Feb 18, 2009 at 2:43 PM, Gordon Sim <[email protected]> wrote: > Joshua Kramer wrote: >> >> Hey, that'd be great! I may also post to the SELinux mailing list. After >> looking over the SELinux documentation and some other resources, here's what >> I've found. >> >> There are a couple of ways we can go about this. The first way, is to use >> pseudo-contexts to load ACL's stored in SELinux into QPid ACL's. (Here, >> 'context' means a SELinux context.) To accomplish access control in this >> manner, we need to do the following: >> >> 1. Create some pseudo-contexts representing QPid objects (things like >> queues, exchanges, etc.) >> 2. Go to a file on the filesystem and read in text-based user names. >> 3. For each name, compute the target contexts that it is allowed to >> access... and convert those into QPid ACL's. >> >> I do not think there is a way to call SELinux and ask it, "give me a list >> of all the users in the QPid Type, and the things they can access..." But I >> may be mistaken. There are some third-party SELinux tools for which the >> source is accessible, so I may peruse those tools. >> >> The second way in which we can integrate SELinux into QPid is a bit more >> complicated. Instead of using the built-in ACL's, we can go into the data >> structures holding the various QPid objects (queues, exchanges, etc.) and >> add elements for SELinux security contexts to each object. We would then >> place calls to security_compute_av before each call that manupulates an >> object, to determine if that particular operation was permitted. > > We already have calls to the authorise() method on the loaded instance of > AclModule (which is pluggable). Can that not be implemented as a call to > security_compute_av?
Yep thats exactly what I meant. As it is I believe AclModule has a resonable abstraction. Rajith > --------------------------------------------------------------------- > Apache Qpid - AMQP Messaging Implementation > Project: http://qpid.apache.org > Use/Interact: mailto:[email protected] > > -- Regards, Rajith Attapattu Red Hat http://rajith.2rlabs.com/ --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
