[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: [RFC]integrity: SELinux patch
From:       "Serge E. Hallyn" <serue () us ! ibm ! com>
Date:       2007-08-30 21:12:43
Message-ID: 20070830211243.GA20414 () sergelap ! austin ! ibm ! com
[Download RAW message or body]

Quoting Serge E. Hallyn (serue@us.ibm.com):
> Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > This is a second attempt to verify and measure file integrity, by
> > adding the new Linux Integrity Modules(LIM) API calls to SElinux.
> > This posting addresses comments previously made on this list. 
> > I will also post the current set of LIM patches, as well as an
> > initial integrity.te example. 
> > 
> > The integrity of the SELinux metadata is verified when the xattr
> > is initially retrieved.  On an integrity failure, normal selinux 
> > error processing occurs.
> > 
> > This patch defines a new 'integrity' class with the permission 
> > 'measure'.  Measurement calls are made in selinux_file_mmap(), 
> > selinux_bprm_check_security, and selinux_inode_permission(),
> > based on policy.  (Additional calls might be required.)
> 
> Just curious - wouldn't you want to also define a 'update' permission to
> allow policy to permit some domains to update xattrs?  Or does that not
> make sense?

Oops, I see, that's what measure is...   nm then.

-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]