From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 24 Jun 2011 09:13:20 -0400
Subject: [refpolicy] Generation of FLASK entries
In-Reply-To: <4E0364AA.8080207@secunet.com>
References: <4E0364AA.8080207@secunet.com>
Message-ID: <4E048D70.1040703@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/23/11 12:07, Martin Christian wrote:
> I'm trying to understand the process how the ref policy is built.
> However, I'm wondering how you keep the flask entries up-to-date with
> the kernel? To me it seems like you always use the fixed access vector
> definitions from policy/flask, isn't it? This might cause the policy
> being out of sync with the kernel, e. g.: Kernel 2.6.37 introduced the
> permission syslog for class capabiliy2.

Yes, the in-policy flask definitions are used.  It is possible to get
out of sync, but we're pretty good about getting the flask definitions
updated when new permissions are added.  If you do come into the
situation where you have more permissions defined in your kernel than in
your policy, there is a configuration setting for these unknown
permissions.  They can either be allowed, denied, or the policy loading
can be rejected.  This setting is in the policy itself (see UNK_PERMS
setting in build.conf).

If there are more permissions in the policy than in the kernel, what
happens is kernel memory is wasted due to the unchecked permissions.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com