next up previous
Next: Security Mechanisms Up: Security Architecture Previous: Flexibility in Access Decisions


Support for Policy Changes

The Flask AVC provides an interface to the security server for managing the cache as needed for policy changes. Sequence numbers are used to address the potential interleaving of access decision computations and policy change notifications. When the AVC receives a policy change notification, it updates its own state and then invokes callback functions registered by the object managers to update any permissions retained in the state of the object managers. For example, permissions may be retained in the access rights in page tables or in the flags on an open file description. After updating the state of the object managers and the state of the AVC to conform to the policy change, the AVC notifies the security server that the transition to the new policy has been completed.

In SELinux, many permissions are revalidated on use, such as permissions for reading and writing files and permissions for communicating on an established connection. Consequently, policy changes for these permissions are automatically recognized and enforced without the need for object manager callbacks. Permissions can be efficiently revalidated by object managers using references to entries in the AVC. However, the revalidation of permissions on use is not adequate for revoking access to mapped file pages in the Linux page cache. The current SELinux implementation does invalidate the appropriate page cache entries when a file is relabeled, but a callback has not yet been defined to invalidate the appropriate page cache entries when a policy change notification is received.

The SELinux example security server provides an interface for changing the security policy configuration at runtime. The security_load_policy call may be used to read a new policy configuration from a file. After loading the new policy configuration, the security server updates its SID mapping, invalidating any SIDs that are no longer authorized, and resets the AVC. Subsequent permission checks on processes and objects with invalid SIDs always fail, preventing any further accesses by such processes and any further accesses to such objects. Support for automatically relabeling these processes and objects to a label that is accessible to administrators has not yet been implemented.


next up previous
Next: Security Mechanisms Up: Security Architecture Previous: Flexibility in Access Decisions