[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240821130755.25031-1-cgoettsche@seltendoof.de>
Date: Wed, 21 Aug 2024 15:07:52 +0200
From: Christian Göttsche <cgoettsche@...tendoof.de>
To: selinux@...r.kernel.org
Cc: cgzones@...glemail.com,
jsatterfield.linux@...il.com,
linux-kernel@...r.kernel.org,
omosnace@...hat.com,
paul@...l-moore.com,
stephen.smalley.work@...il.com,
xiujianfeng@...weicloud.com,
tweek@...gle.com,
brambonne@...gle.com
Subject: Re: [PATCH 2/2] selinux: add support for xperms in conditional policies
> From: Christian Göttsche <cgzones@...glemail.com>
>
> Add support for extended permission rules in conditional policies.
> Currently the kernel accepts such rules already, but evaluating a
> security decision will hit a BUG() in
> services_compute_xperms_decision(). Thus reject extended permission
> rules in conditional policies for current policy versions.
>
> Add a new policy version for this feature.
>
> Signed-off-by: Christian Göttsche <cgzones@...glemail.com>
> ---
> Userspace patches are available at:
> https://github.com/SELinuxProject/selinux/pull/432
>
> Maybe the policy version 34 can be reused for the prefix/suffix filetrans
> feature to avoid two new versions?
Kindly ping.
Any comments?
This affects (improves?) also the netlink xperm proposal.
Powered by blists - more mailing lists