Exercises


1.

In the LSM framework, which check usually occurs first, the standard Linux access checks or the SELinux checks? Why?

2.

In the kernel, how do SELinux object managers and LSM hooks relate?

3.

When a new policy is loaded into the kernel, the access vector cache (AVC) is invalidated. Why do you think that is necessary?

4.

Although SELinux does not fully implement access revocation on policy change, for objects such as regular files it does. Standard Linux access control does not implement access revocation for regular files. Explain the reasons for this difference.

5.

Why do you think userspace object managers cannot use the kernel access validation cache like they do the kernel security server?

6.

In the policy server architecture, would it ever make sense to have a userspace object manager without the policy management server? Why or why not?

Extra credit: Go to the example policy source directory and make policy to create the policy.conf (source) and policy.[ver] (binary) policy files. Use apol to examine the number of allow rules in each file and notice the large difference. Any ideas what might be the cause of that difference?




SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net