--- David Howells <[EMAIL PROTECTED]> wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > All your code has to do is invoke a function provided by libselinux.
>
> Calling libselinux means it's a special case for a specific LSM.
>
> I think the best way to do this, then, has to be to dlop
Stephen Smalley <[EMAIL PROTECTED]> wrote:
> All your code has to do is invoke a function provided by libselinux.
Calling libselinux means it's a special case for a specific LSM.
I think the best way to do this, then, has to be to dlopen the appropriate LSM
library. That way I don't need to do
On Tue, 2007-12-11 at 20:42 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > > That sounds too SELinux specific. How do I do it so that it works for any
> > > LSM?
> >
> > You can't. There is no LSM for userspace; LSM specifically disavowed
> > any common userspace
--- David Howells <[EMAIL PROTECTED]> wrote:
...
>
> How about I just stick the context in /etc/cachefilesd.conf as a textual
> configuration item and have the daemon pass that as a string to the
> cachefiles
> kernel module, which can then ask LSM if it's valid to set this context as an
> overr
Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > That sounds too SELinux specific. How do I do it so that it works for any
> > LSM?
>
> You can't. There is no LSM for userspace; LSM specifically disavowed
> any common userspace API, and that was one of our original
> objections/concerns about it.
--- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > I am much more concerned with the interfaces used to pass the
> > information into the kernel. I would expect that to be LSM
> > independent, not a call into libselinux that resolves into a
> > selinuxfs operation, or it's netlink equivilant.
Today the LSM interface is pretty well defined in terms of
the hooks used to enforce the policy. It's easy to look there
and identify how to go about implementing an access control
scheme once you've decided what you want to do and how you're
going to obtain the information required to make your c
On Tue, 2007-12-11 at 11:26 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote:
> > > --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > >
> > > > On Mon, 2007-12-10 at 21:08 +, David Howells wrote:
> >
On Mon, 2007-12-10 at 15:46 -0800, Casey Schaufler wrote:
> --- David Howells <[EMAIL PROTECTED]> wrote:
>
> > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> >
> > > From a config file whose pathname would be provided by libselinux (ala
> > > the way in which dbusd imports contexts), or directly as
On Mon, 2007-12-10 at 23:36 +, David Howells wrote:
> Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > From a config file whose pathname would be provided by libselinux (ala
> > the way in which dbusd imports contexts), or directly as a context
> > returned by a libselinux function.
>
> That
--- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote:
> > --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
> >
> > > On Mon, 2007-12-10 at 21:08 +, David Howells wrote:
> > > > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > > >
> > > > > Ot
On Mon, 2007-12-10 at 14:26 -0800, Casey Schaufler wrote:
> --- Stephen Smalley <[EMAIL PROTECTED]> wrote:
>
> > On Mon, 2007-12-10 at 21:08 +, David Howells wrote:
> > > Stephen Smalley <[EMAIL PROTECTED]> wrote:
> > >
> > > > Otherwise, only other issue I have with this interface is it won'
12 matches
Mail list logo
