LinuxLists.cc - [refpolicy] Generation of FLASK entries

2011-06-23 16:07:06

Subject: [refpolicy] Generation of FLASK entries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm trying to understand the process how the ref policy is built.
However, I'm wondering how you keep the flask entries up-to-date with
the kernel? To me it seems like you always use the fixed access vector
definitions from policy/flask, isn't it? This might cause the policy
being out of sync with the kernel, e. g.: Kernel 2.6.37 introduced the
permission syslog for class capabiliy2.

Regards,

Martin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOA2SiAAoJEGpTkDITRjmooFQIAMIlHA60M0fb8uZNJwbrQJmu
fU/JSsKM1gv7Hx1Hd4bcz48yY/9WT5Pop4v2T1K812sYcfwqR/nwAy9PsOQy2p34
QCUgN0EzbhV6rjcXb5mCeQuOW1wfTeXyTrMqhIiaenh+ePEZdvA6hPE6SnepjiMw
fVl9gyIMw0pCviX0abflJg0l+lJh86XVeLOikp9X6QG2mCUV0dgursXKe/yeiC9O
Vpm/DEL/B3qvAU9RE0EFsnHKNAg+BMfSaedlZm4igNmVo3KxjFYjDjDa1xhX6P7Y
oGNFkbJ+rhhAkzuDR96Sqvr/naLPyvdZfTA3b7X/AfdL8cAbMFb/bIywe6S6RjY=
=xZUX
-----END PGP SIGNATURE-----

2011-06-24 13:13:20

by cpebenito

[permalink] [raw]

Subject: [refpolicy] Generation of FLASK entries

On 06/23/11 12:07, Martin Christian wrote:
> I'm trying to understand the process how the ref policy is built.
> However, I'm wondering how you keep the flask entries up-to-date with
> the kernel? To me it seems like you always use the fixed access vector
> definitions from policy/flask, isn't it? This might cause the policy
> being out of sync with the kernel, e. g.: Kernel 2.6.37 introduced the
> permission syslog for class capabiliy2.

Yes, the in-policy flask definitions are used. It is possible to get
out of sync, but we're pretty good about getting the flask definitions
updated when new permissions are added. If you do come into the
situation where you have more permissions defined in your kernel than in
your policy, there is a configuration setting for these unknown
permissions. They can either be allowed, denied, or the policy loading
can be rejected. This setting is in the policy itself (see UNK_PERMS
setting in build.conf).

If there are more permissions in the policy than in the kernel, what
happens is kernel memory is wasted due to the unchecked permissions.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com