[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: [RFC]integrity: SELinux patch
From: Mimi Zohar <zohar () linux ! vnet ! ibm ! com>
Date: 2007-08-31 13:15:14
Message-ID: 1188566114.10618.28.camel () localhost ! localdomain
[Download RAW message or body]
On Thu, 2007-08-30 at 16:12 -0500, Serge E. Hallyn wrote:
> Quoting Serge E. Hallyn (serue@us.ibm.com):
> > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com):
> > > This is a second attempt to verify and measure file integrity, by
> > > adding the new Linux Integrity Modules(LIM) API calls to SElinux.
> > > This posting addresses comments previously made on this list.
> > > I will also post the current set of LIM patches, as well as an
> > > initial integrity.te example.
> > >
> > > The integrity of the SELinux metadata is verified when the xattr
> > > is initially retrieved. On an integrity failure, normal selinux
> > > error processing occurs.
> > >
> > > This patch defines a new 'integrity' class with the permission
> > > 'measure'. Measurement calls are made in selinux_file_mmap(),
> > > selinux_bprm_check_security, and selinux_inode_permission(),
> > > based on policy. (Additional calls might be required.)
> >
> > Just curious - wouldn't you want to also define a 'update' permission to
> > allow policy to permit some domains to update xattrs? Or does that not
> > make sense?
>
> Oops, I see, that's what measure is... nm then.
A LIM provider that implements integrity_verify_metadata/data would protect
its own integrity xattrs, just as an LSM module protects its own xattrs, but
that is not an SElinux issue. Based on a 'measure' policy, SELinux decides
whether or not to add a measurement to the measurement list and extend the
PCR value.
Mimi
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic