Re: [RFC PATCH v6 08/13] SELinux: Add new peer permissions to the Flask definitions

[Paul Moore]

On Sunday 11 November 2007 5:31:44 pm James Morris wrote:
 On Fri, 9 Nov 2007, Paul Moore wrote:
  Add additional Flask definitions to support the new peer object class.

 Should this be dependent on dynamic class/permission support?

I think it's okay to _define_ the Flask definitions regardless of what the 
policy supports as older policies should simply ignore these definitions.

 Or, will these checks only be invoked if labled networking is configured?

Bingo!  Look at patch 7/13, specifically the 'selinux_policycap_netpeer' 
variable and then at patch 9/13 where the new access checks are made 
conditional on this variable.  The whole mess needs more testing and 
verification, but in theory it shouldn't cause any breakage with older 
policies ... if someone does notice something broken please scream loudly.

-- 
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH v6 08/13] SELinux: Add new peer permissions to the Flask definitions

[James Morris]

On Fri, 9 Nov 2007, Paul Moore wrote:

 Add additional Flask definitions to support the new peer object class.

Should this be dependent on dynamic class/permission support?

Or, will these checks only be invoked if labled networking is configured?


-- 
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[RFC PATCH v6 08/13] SELinux: Add new peer permissions to the Flask definitions

[Paul Moore]

Add additional Flask definitions to support the new peer object class.
---

 security/selinux/include/av_perm_to_string.h |3 +++
 security/selinux/include/av_permissions.h|3 +++
 security/selinux/include/class_to_string.h   |7 +++
 security/selinux/include/flask.h |1 +
 4 files changed, 14 insertions(+), 0 deletions(-)

diff --git a/security/selinux/include/av_perm_to_string.h 
b/security/selinux/include/av_perm_to_string.h
index 049bf69..1d56a6a 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -159,3 +159,6 @@
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, node_bind)
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, name_connect)
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, mmap_zero)
+   S_(SECCLASS_PEER, PEER__FLOW_IN, flow_in)
+   S_(SECCLASS_PEER, PEER__FLOW_OUT, flow_out)
+   S_(SECCLASS_PEER, PEER__RECV, recv)
diff --git a/security/selinux/include/av_permissions.h 
b/security/selinux/include/av_permissions.h
index eda89a2..95d4674 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -824,3 +824,6 @@
 #define DCCP_SOCKET__NODE_BIND0x0040UL
 #define DCCP_SOCKET__NAME_CONNECT 0x0080UL
 #define MEMPROTECT__MMAP_ZERO 0x0001UL
+#define PEER__FLOW_IN 0x0001UL
+#define PEER__FLOW_OUT0x0002UL
+#define PEER__RECV0x0004UL
diff --git a/security/selinux/include/class_to_string.h 
b/security/selinux/include/class_to_string.h
index e77de0e..b1b0d1d 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -64,3 +64,10 @@
 S_(NULL)
 S_(dccp_socket)
 S_(memprotect)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(NULL)
+S_(peer)
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index a9c2b20..09e9dd2 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -50,6 +50,7 @@
 #define SECCLASS_KEY 58
 #define SECCLASS_DCCP_SOCKET 60
 #define SECCLASS_MEMPROTECT  61
+#define SECCLASS_PEER68
 
 /*
  * Security identifier indices for initial entities

-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html