I don't know how helpful this is for your problem, but: 1) A number of access control systems (definitely SELinux, and I think SubDomain and RSBAC as well) provide an optional permissive / soft / learning mode of operation where the system merely logs access denials but does not enforce them. So you can do some minimal setup of a new security domain for an application, run the application in this domain on a kernel with this mode enabled, and then use the resulting log messages as input into constructing a policy for the application. 2) Some access control systems (definitely SELinux, don't know about others) provide an enhanced API for security-aware applications that permits them to query the policy (if authorized by the policy to perform such queries). The SELinux API is discussed in the Freenix paper, and at greater length in the technical report. Of course, these facilities aren't standardized in any way across different security modules. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 08:01:37 PST