[RFC PATCH v4 00/12] security: x86/sgx: SGX vs. LSM
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Thu Jul 11 09:06:50 UTC 2019
On Wed, Jul 10, 2019 at 01:31:04PM -0700, Sean Christopherson wrote:
> On Wed, Jul 10, 2019 at 11:19:30PM +0300, Jarkko Sakkinen wrote:
> > On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote:
> > > On Tue, Jul 09, 2019 at 07:22:03PM +0300, Jarkko Sakkinen wrote:
> > > > On Mon, Jul 08, 2019 at 10:29:30AM -0700, Sean Christopherson wrote:
> > > > > On Fri, Jul 05, 2019 at 07:05:49PM +0300, Jarkko Sakkinen wrote:
> > > > > > On Wed, Jun 19, 2019 at 03:23:49PM -0700, Sean Christopherson wrote:
> > > > > >
> > > > > > I still don't get why we need this whole mess and do not simply admit
> > > > > > that there are two distinct roles:
> > > > > >
> > > > > > 1. Creator
> > > > > > 2. User
> > > > >
> > > > > Because SELinux has existing concepts of EXECMEM and EXECMOD.
> > > >
> > > > What is the official documentation for those? I've only found some
> > > > explanations from discussions and some RHEL sysadmin guides.
> > >
> > > No clue. My knowledge was gleaned from the code and from Stephen's
> > > feedback.
> >
> > OK, thanks for elaboration. Got nailed some details I was missing :-)
> >
> > Anyway, to accompany your code changes I'm eager to document this not
> > least because it is a good peer test that this all make sense (you
> > cannot "unit test" a security model so that is the next best thing).
> >
> > Still, we need a documentation reference to reflect the narrative
> > for these changes, seriously. It cannot be that SELinux is widely
> > deployed and it completely lacks documentation for its basic
> > objects, can it?
>
> The vast majority of documentation I've found is on *using* SELinux,
> e.g. writing policies and whatnot. I haven't found anything on its
> internal details, although I admitedly haven't looked all that hard.
I think these are the best references.
Object classes:
https://selinuxproject.org/page/ObjectClassesPerms
Background/concepts:
https://selinuxproject.org/page/Category:Notebook#Notebook_Sections
/Jarkko
More information about the Linux-security-module-archive
mailing list