>
> On a per-hook basis, I suppose you could
> # modprobe stacker
> # echo "default a or b or c" > /sys/security/stacker/compose
> # echo "inode_permission (a and b) or c" > /sys/security/stacker/compose
> # ...
> # modprobe digsig_verif
> # modprobe bsdjail
> # modprobe seclvl
>
yes. But I want to put this metapolicy in a concentrated configure file. Then we can
write our this rule, such as "(a and b) or c", in a file. When boot up, kernel will read
it . As you said , I will implement it using sysfs filesystem.
>
> I usually think of LSM as implementing MAC and not DAC, but I guess there's
> nothing stopping you :) What do you want in additional DAC, mainly to build
> your own ACL's?
Yes. The DAC is implemented by ACL.
>
> I'll be interested to see your results. Are you implementing your own MAC and
> RBAC systems, or starting with, say, SELinux?
Ok, when the framework comes out, I will put it to maillist. We accomplished our
own MAC system.
>
> Use of a pseudofs or a sysfs interface is strongly recommended. Reading
> a file from the kernel is very strongly frowned upon. As an example of the
> pseudofs approach, look to linux/security/selinux/selinuxfs.c:sel_write_load
> and linux/security/selinux/ss/services.c:security_load_policy. For DTE, I
> use a sysfs file and cat the policy into that file line by line.
Thanx.
Yuan Chunyang
This archive was generated by hypermail 2.1.3 : Wed Sep 08 2004 - 23:45:40 PDT