CRED: Add a kernel_service object class to SELinux
Add a 'kernel_service' object class to SELinux and give this object class two access vectors: 'use_as_override' and 'create_files_as'. The first vector is used to grant a process the right to nominate an alternate process security ID for the kernel to use as an override for the SELinux subjective security when accessing stuff on behalf of another process. For example, CacheFiles when accessing the cache on behalf on a process accessing an NFS file needs to use a subjective security ID appropriate to the cache rather then the one the calling process is using. The cachefilesd daemon will nominate the security ID to be used. The second vector is used to grant a process the right to nominate a file creation label for a kernel service to use. Signed-off-by:David Howells <dhowells@redhat.com> Signed-off-by:
James Morris <jmorris@namei.org>
Showing
- security/selinux/include/av_perm_to_string.h 2 additions, 0 deletionssecurity/selinux/include/av_perm_to_string.h
- security/selinux/include/av_permissions.h 2 additions, 0 deletionssecurity/selinux/include/av_permissions.h
- security/selinux/include/class_to_string.h 5 additions, 0 deletionssecurity/selinux/include/class_to_string.h
- security/selinux/include/flask.h 1 addition, 0 deletionssecurity/selinux/include/flask.h
Loading
Please register or sign in to comment