selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: access decision API

Re: access decision API

From: michel m <michel.mcgregor_at_nospam>
Date: Sat Jan 30 2010 - 08:33:18 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>


as the last question,
what I need, is to ask the security server if a data residing in userspace owning a context, can be written to a file in OS. does it make sense if I do it in this way :

    avc_has_perm(data_sid ,file_sid, SECLASS_FILE , null, null)

I am confused, because I guessed using such a syntax means if a process is able to write to file, but here we are going to check if data can be *written *to file.

if everything ok, how the action is specified, that is write? Regards.

On Wed, Jan 27, 2010 at 10:03 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Wed, 2010-01-27 at 18:10 +0330, michel m wrote:
> > thanks for guidance, but here I am with a question. what should be
> > used as object class in avc_has_perm(3) when using it for
> > inter-object. is there any sample for inter-object access decision?
> > can it be null?
> >
> > on the other hand, access decision taken by avc_has_perm(), does it
> > include MLS too?
>
> Yes, the avc_has_perm() or security_compute_av() decision takes into
> account all policy models implemented within the security server,
> including RBAC, TE, and MLS.
>
> --
> Stephen Smalley
> National Security Agency
>
>
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.