Help: Which file invokes policy configuration in RHEl4?
Linux - KernelThis forum is for all discussion relating to the Linux kernel.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What I want to do is to customise the file which loads policy or init script such that we have a choice such that which policy file to load? It's some generic kind of thing. If you can suggest any other way the same can be achived then it will very much appreciated. Thanks.
Please,understand this;Policies are a set of rules governing things such as the roles a user has access to; which roles can enter which domains and which domains can access which types. You can edit your policy files according to how you want your system set up. The purpose of SE Linux is to enforce policies, so policies form the core of SE Linux. The default policy is to deny everything and every operation has to be explicitly permitted in a policy file.So,you don't load a policy at boot,you load SE Linux which then do what is written in a policy that is ACTIVE,meaning you can configure how many policies you like but SE Linux will load one that is active.And this is from http://www.redhat.com -it really describes things clearly;
After the kernel has been loaded during boot, the initial process is assigned the predefined initial SID kernel. Initial SIDs are used for bootstrapping before the policy is loaded.
/sbin/init mounts /proc/, then looks for the selinuxfs file system type. If it is present, that means SELinux is enabled in the kernel.
If init does not find SELinux in the kernel, finds it is disabled via the selinux=0 boot parameter, or if /etc/selinux/config specifies that SELINUX=disabled, boot proceeds with a non-SELinux system.
At the same time, init sets the enforcing status if it is different from the setting in /etc/selinux/config. This happens when a parameter is passed during boot. The default mode is permissive until the policy is loaded, then enforcement is set by the configuration file or by the parameters enforcing=0 or enforcing=1.
If SELinux is present, /selinux/ is mounted.
The kernel checks /selinux/policyvers for the supported policy version. init looks into /etc/selinux/config to see which policy is active, such as the targeted policy, and loads the associated file at $SELINUX_POLICY/policy.<version>.
Why would you *want* to choose which policy to load?
I think it's time you elaborate on what you *really* want to do.
The reason to load a policy of choice is to make the project generic. There can be several policy files which can be loaded at any point of time according to need.
My project is about enhancing the security in existing RHEL(SELinux) by implementing fine grained access control over the resources of linux. The access control decisions have to imported to native policy files from some external files or authorization and authentication server using XACML.
I am in the initial phase of prototype design. I need a test case for the project. I can have SELinux access control over some specific daemons only like httpd but not over all the resources due to the targeted policy. So here I need to do which policy to load if I changed to strict policy then only the policy file can be changed and we can have access control over other resources as well.
Sorry that I could not posted in the thread for a while. Now I got what I need. Plz have a look at this...
SELinux has hooks located at strategic points within the core kernel code, such as the point where a file is about to be read by a user. These hooks allow SELinux to break out of the normal flow of the kernel to request extended access control decisions. Access control decisions usually are made between a process (for example, cat) and an object (for example, /etc/shadow) for a specific permission (read).
Decision requests are sent to the access vector cache (AVC), which passes requests through to the security server for interpretation. The security server consults the security policy database and determines a result, which is cached in the AVC and returned to the SELinux hook.
The SELinux hook then allows the flow to continue or return EACCES, depending on the decision result. Security context labels assigned to processes and objects are used to make these access control decisions.
Know those warning signs on electrical components saying "no user servicable parts inside"? With all due respect but if you're going to tamper with kernel SELinux structures I'd strongly suggest you get on both the SELinux mailinglist and the LKML to have your thinking|patching sanity|quality checked.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
