[redhat-lspp] Syscalls questions
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 29 14:12:15 UTC 2006
On Wed, 2006-06-28 at 14:06 -0500, Klaus Weidner wrote:
> On Tue, Jun 27, 2006 at 06:48:26PM +0100, David Howells wrote:
> > Kris Wilson <krisw at us.ibm.com> wrote:
> > > We are trying to finalize our list of syscalls to test and have the
> > > following questions:
> >
> > Test in what way?
>
> The testing would be for compliance with LSPP, in this case that the
> syscalls properly implement mandatory access control and generate correct
> audit records.
>
> > > add_key
> > > request_key
> > > keyctl
> >
> > Anybody may use them.
>
> Is there any clean way to disable them at runtime for non-admins, maybe a
> SELinux constraint? It would save a lot of work for the evaluation...
You could (via SELinux constraint on the key class), but I'm not sure
why this is better than just defining normal MLS constraints on the key
permissions now that we have the SELinux checking there and do testing
of those constraints.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list