From: Stephen Smalley <sds@tycho.nsa.gov>
To: JanuGerman <doublemalam@yahoo.co.uk>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: SELinux cache.
Date: Tue, 27 Mar 2007 08:38:16 -0400 [thread overview]
Message-ID: <1174999097.3864.271.camel@moss-spartans.epoch.ncsc.mil> (raw)
In-Reply-To: <800112.19807.qm@web86906.mail.ukl.yahoo.com>
On Tue, 2007-03-27 at 10:31 +0100, JanuGerman wrote:
> Hi Every one,
>
> SELinux maintains a cache called "access vector
> cache (avc)" for caching the security server
> decisions. Beside the avc, is there is any other cache
> as well, which is maintained outside the domain of
> Linux kernel or SElinux?.
>
> The book "SELinux by example" have mentioned a cache
> in the userspace (library libselinux), but
> unfortunately, i was not able to locate this library.
>
> Currently, my selinux is running in "Enforcing" mode,
> with "targeted" policy. Some times, it executes the
> functions within the selinux/hooks.c such as
> "may_create", "may_link", "file_has_perm" and some
> times not. The avc calls are normally executed within
> these methods. So, logically, these methods should be
> consulted, before examining the avc for a cache
> miss/hit.
>
> Am, i running SELInux in the wrong mode, i mean, at
> the moment it is "targeted", shall it be "strict" in
> order to execute these "hooks.c" functions each time a
> permission check is made, or there is another cache
> maintained outside the SELInux domain bounderies.
The hook functions are always called. What makes you think they aren't?
Easiest way to see the calls is to add auditallow rules to your policy,
although this will generate a lot of audit messages. Example:
$ cat test.te
policy_module(test, 1.0)
require {
attribute domain;
attribute file_type;
}
auditallow domain file_type:dir_file_class_set *;
$ make -f /usr/share/selinux/devel/Makefile
$ su -
# semodule -i test.pp
# tail -f /var/log/audit/audit.log
But be warned that this will generate a lot of audit.
To remove, use:
# semodule -r test
There is a userspace AVC in libselinux for use by userspace object
managers (applications that enforce policy over their own objects and
operations not directly visible to the kernel), but it isn't relevant to
the kernel. If you have SELinux on your system, you have libselinux
already, e.g. /lib/libselinux.so.1. The sources can be found in the
usual places.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-03-27 12:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-27 9:31 SELinux cache JanuGerman
2007-03-27 12:38 ` Stephen Smalley [this message]
2007-03-29 13:33 ` JanuGerman
2007-03-29 13:38 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174999097.3864.271.camel@moss-spartans.epoch.ncsc.mil \
--to=sds@tycho.nsa.gov \
--cc=doublemalam@yahoo.co.uk \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.