[redhat-lspp] RBAC Roles
Stephen Smalley
sds at tycho.nsa.gov
Thu Sep 22 18:01:13 UTC 2005
On Thu, 2005-09-22 at 10:57 -0400, Steve Grubb wrote:
> On Thursday 22 September 2005 10:36, Stephen Smalley wrote:
> > You'd still need to regenerate and reload policy, but you wouldn't need
> > any policy sources or checkpolicy.
>
> Do you really need to take this step? What about just inserting or deleting
> the rule instead of the whole policy.
The SELinux kernel module doesn't presently support such an interface
for selective modification of the policy; it only provides an interface
for complete policy reload (which has cleaner semantics and locking).
IIRC, when the question of supporting selective modifications at the
kernel level was previously raised, someone pointed out that iptables
configuration is the same; you can add and delete rules in userspace,
but the kernel views it as a complete reload each time. So we can
present a user interface that appears to selectively add and remove, but
internally it would continue to regenerate a new policy image and drop
the result into the kernel as an atomic operation.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list