From: Jason C. <jas...@gm...> - 2012-09-19 06:39:15
|
Hi Mimi, Sorry for late reply. Thank you for your suggestion. It's very useful. :-) Regards, Jason 2012/9/16 Mimi Zohar <zo...@li...> > On Fri, 2012-09-14 at 13:17 +0800, Jason Chow wrote: > > Hi all, > > > > The selinux extend to the measument list could be written like > > 'measure func=FILE_CHECK mask=MAY_READ obj_type=my_app_t'. Where could > > I find document about the selinux extension ? For example, how many > > mask could there be? If I want to measuremnt some files after system > > on even no operations(no read or exec ops ) on these files, how to > > write the policy file ? > > The IMA measurement/appraisal policy is limited at the moment to three > hooks, file_check, file_mmap, and bprm_check. The default policy > measures/appraises files opened for read at file_check and defers the > measurement/appraisal of files opened for exec to file_mmap/bprm_check. > A custom policy based on SELinux labels could be used to constrain the > default policy even further (eg. don't measure log files or VMs). > > A hook for measuring/appraising kernel modules has been proposed. Other > than these hooks, there is no mechanism for measuring/appraising files. > Previous work defined a mechanism for registering other types of > templates, which was not limited to these hooks. For more information > on LIM/templates, whjch was not upstreamed, refer to > https://lkml.org/lkml/2008/10/13/344. > > thanks, > > Mimi > > > |