Re: Clarifications of LSM API

From: Stephen Smalley (sds@private)
Date: Tue Jun 29 2004 - 09:34:56 PDT

Next message: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"

Previous message: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
In reply to: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Next in thread: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Next in thread: Serge E. Hallyn: "Re: Clarifications of LSM API"
Reply: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2004-06-29 at 12:30, Valdis.Kletnieks@private wrote:
> And sites that have some need to implement a "Users/Processes of Type X can't
> do Operation Y" to satisfy some local requirement (possibly not easily
> expressed in SELinux terms - consider a rule like "Processes run by Graduate
> Students may not access the Foo Shared Resource between 9AM and 5PM M-F"...)
> may be looking at a *fifth* LSM to implement one or two rules....

You can implement that policy using SELinux and the conditional policy
support added by Tresys, i.e. the allow rules granting the graduate
student domain access to the foo shared resource type are bracketed with
a conditional on a policy boolean, and crond or some similar daemon
toggles the boolean value at the appropriate times.

-- 
Stephen Smalley <sds@private>
National Security Agency

Next message: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Previous message: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
In reply to: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Next in thread: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Next in thread: Serge E. Hallyn: "Re: Clarifications of LSM API"
Reply: Valdis.Kletnieks@private: "Re: Clarifications of LSM API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 09:35:39 PDT