Re: [RFC] [Stacking v4 2/3] New version of SELinux patch to support stacking

From: Stephen Smalley (sds@private)
Date: Mon Dec 06 2004 - 13:14:26 PST


On Fri, 2004-12-03 at 13:04, Serge Hallyn wrote:
> Attached is a new version of the SELinux patch.  It uses the
> lsm_adopt_next_secondary() function exported by stacker to stack
> capability underneath itself if capability, stacker, and selinux are all
> compiled in.

I suppose the question here is whether this approach is what is
ultimately desired (delegating setup of the "next" secondary module so
that SELinux can stack specially with capabilities) or whether we just
want to get the stacker to support the same behavior and provide
adequate performance so that the SELinux secondary_ops can be discarded
altogether and one can just stack SELinux+capabilities via the stacker
module.

As an experiment, I tried removing the use of lsm_adopt_next_secondary()
from SELinux and just letting stacker handle the stacking of
capabilities with SELinux, but the system doesn't get very far that
way.  The initial restorecon on /dev from rc.sysinit (to deal with the
initial /dev populated by udev before SELinux policy is loaded) seems to
fail, and then subsequent access to /dev fails.  This is on FC3 with
strict policy.

-- 
Stephen Smalley <sds@private>
National Security Agency



This archive was generated by hypermail 2.1.3 : Mon Dec 06 2004 - 13:19:48 PST