search for: security_t

These patches update the example FLASK policy shipped with Xen and enable its build if the required tools are present. The third patch requires rerunning autoconf to update tools/configure. [PATCH 1/3] flask/policy: sort dom0 accesses [PATCH 2/3] flask/policy: rework policy build system [PATCH 3/3] tools/flask: add FLASK policy to build

...rking at home; I do overkill at times :-) The problem is that I can't see how to prevent this. There are too many access points (not just the CLI tools but the pp files and the /sys tree and I don't know what else). I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux has security_t so maybe a policy that deny's everyone except a new security_admin_t permission to modify those files might work? Has anyone actually attempted this? -- rgds Stephen

...imes :-) > > The problem is that I can't see how to prevent this. There are too many > access points (not just the CLI tools but the pp files and the /sys tree > and I don't know what else). > > I do note that /etc/selinux has selinux_config_t and /sys/fs/selinux > has security_t so maybe a policy that deny's everyone except a new > security_admin_t permission to modify those files might work? > > Has anyone actually attempted this? > You would need to disable the unconfined.pp module and the unconfineduser.pp module and run all of your users as confined use...

This patch set adds XSM security labels to useful debugging output locations, and fixes some assumptions that all interrupts behaved like GSI interrupts (which had useful non-dynamic IDs). It also cleans up the policy build process and adds an example of how to use the user field in the security context. Debug output: [PATCH 01/10] xsm: Add security labels to event-channel dump [PATCH 02/10] xsm: