[07/18] computing_access_decisions: Convert to markdown

Message ID	20200825083743.6508-8-richard_c_haines@btinternet.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <SRS0=Kf9N=CD=vger.kernel.org=selinux-owner@kernel.org> From: Richard Haines <richard_c_haines@btinternet.com> To: paul@paul-moore.com, selinux@vger.kernel.org Cc: Richard Haines <richard_c_haines@btinternet.com> Subject: [PATCH 07/18] computing_access_decisions: Convert to markdown Date: Tue, 25 Aug 2020 09:37:32 +0100 Message-Id: <20200825083743.6508-8-richard_c_haines@btinternet.com> In-Reply-To: <20200825083743.6508-1-richard_c_haines@btinternet.com> References: <20200825083743.6508-1-richard_c_haines@btinternet.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-owner@vger.kernel.org Precedence: bulk
Series	SELinux Notebook: Convert batch 1 to markdown \| expand [00/18] SELinux Notebook: Convert batch 1 to markdown [01/18] apache_support: Convert to markdown [02/18] auditing: Convert to markdown [03/18] avc_rules: Convert to markdown [04/18] bounds_rules: Convert to markdown [05/18] cil_overview: Convert to markdown [06/18] class_permission_statements: Convert to markdown [07/18] computing_access_decisions: Convert to markdown [08/18] computing_security_contexts: Convert to markdown [09/18] conditional_statements: Convert to markdown [10/18] configuration_files: Convert to markdown [11/18] constraint_statements: Convert to markdown [12/18] core_components: Convert to markdown [13/18] default_rules: Convert to markdown [14/18] domain_object_transitions: Convert to markdown [15/18] file_labeling_statements: Convert to markdown [16/18] global_config_files: Convert to markdown [17/18] implementing_seaware_apps: Convert to markdown [18/18] infiniband_statements: Convert to markdown

Message ID

20200825083743.6508-8-richard_c_haines@btinternet.com (mailing list archive)

State

Accepted

Headers

From: Richard Haines <richard_c_haines@btinternet.com>
To: paul@paul-moore.com, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH 07/18] computing_access_decisions: Convert to markdown
Date: Tue, 25 Aug 2020 09:37:32 +0100
Message-Id: <20200825083743.6508-8-richard_c_haines@btinternet.com>
In-Reply-To: <20200825083743.6508-1-richard_c_haines@btinternet.com>
References: <20200825083743.6508-1-richard_c_haines@btinternet.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-owner@vger.kernel.org
Precedence: bulk

Series

SELinux Notebook: Convert batch 1 to markdown | expand

Commit Message

Richard Haines Aug. 25, 2020, 8:37 a.m. UTC

Convert to markdown

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 src/computing_access_decisions.md | 82 ++++++++++++++-----------------
 1 file changed, 38 insertions(+), 44 deletions(-)

diff --git a/src/computing_access_decisions.md b/src/computing_access_decisions.md
index 5ab9430..0ab1092 100644
--- a/src/computing_access_decisions.md
+++ b/src/computing_access_decisions.md
@@ -3,50 +3,44 @@ 
 There are a number of ways to compute access decisions within userspace
 SELinux-aware applications or object managers:
 
-1.  Use of the ***selinux_check_access**(3)* function is the
-    recommended option. This utilises the AVC services discussed in
-    bullet 3 in a single call that:
-
--   Dynamically resolves class and permissions strings to their
-    class/permission values using ***string_to_security_class**(3)*
-    and ***string_to_av_perm**(3)* with
-    ***security_deny_unknown**(3)* to handle unknown
-    classes/permissions.
--   Uses ***avc_has_perm**(3)* to check whether the decision is cached
-    before calling ***security_compute_av_flags**(3)* (and caching
-    the result), checks enforcing mode (both global and per-domain
-    (permissive)), and logs any denials (there is also an option to add
-    supplemental auditing information that is handled as described in
-    ***avc_audit**(3)*.
-
-2.  Use functions that do not cache access decisions (i.e. they do not
-    use the *libselinux* AVC services). These require a call to the
-    kernel for every decision using ***security_compute_av**(3)* or
-    ***security_compute_av_flags**(3)*. The ***avc_netlink_\***(3)*
-    functions can be used to detect policy change events. Auditing would
-    need to be implemented if required.
-
-3.  Use functions that utilise the *libselinux* userspace AVC services
-    that are initialised with ***avc_open**(3)*. These can be built in
-    various configurations such as:
-
--   Using the default single threaded mode where ***avc_has_perm**(3)*
-    will automatically cache entries, audit the decision and manage
-    the handling of policy change events.
-
--   Implementing threads or a similar service that will handle policy
-    change events and auditing in real time with
-    ***avc_has_perm**(3)* or ***avc_has_perm_noaudit**(3)*
-    handling decisions and caching. This has the advantage of better
-    performance, which can be further increased by caching the entry
-    reference.
-
-4.  Implement custom caching services with
-    ***security_compute_av**(3)* or
-    ***security_compute_av_flags**(3)* for computing access
-    decisions. The ***avc_netlink_\***(3)* functions can then be used to
-    detect policy change events. Auditing would need to be implemented
-    if required.
+1. Use of the ***selinux_check_access**(3)* function is the
+   recommended option. This utilises the AVC services discussed in
+   bullet 3 in a single call that:
+   - Dynamically resolves class and permissions strings to their
+     class/permission values using ***string_to_security_class**(3)*
+     and ***string_to_av_perm**(3)* with
+     ***security_deny_unknown**(3)* to handle unknown
+     classes/permissions.
+   - Uses ***avc_has_perm**(3)* to check whether the decision is cached
+     before calling ***security_compute_av_flags**(3)* (and caching
+     the result), checks enforcing mode (both global and per-domain
+     (permissive)), and logs any denials (there is also an option to add
+     supplemental auditing information that is handled as described in
+     ***avc_audit**(3)*.
+2. Use functions that do not cache access decisions (i.e. they do not
+   use the *libselinux* AVC services). These require a call to the
+   kernel for every decision using ***security_compute_av**(3)* or
+   ***security_compute_av_flags**(3)*. The ***avc_netlink_\***(3)*
+   functions can be used to detect policy change events. Auditing would
+   need to be implemented if required.
+3. Use functions that utilise the *libselinux* userspace AVC services
+   that are initialised with ***avc_open**(3)*. These can be built in
+   various configurations such as:
+   - Using the default single threaded mode where ***avc_has_perm**(3)*
+     will automatically cache entries, audit the decision and manage
+     the handling of policy change events.
+   - Implementing threads or a similar service that will handle policy
+     change events and auditing in real time with
+     ***avc_has_perm**(3)* or ***avc_has_perm_noaudit**(3)*
+     handling decisions and caching. This has the advantage of better
+     performance, which can be further increased by caching the entry
+     reference.
+4. Implement custom caching services with
+   ***security_compute_av**(3)* or
+   ***security_compute_av_flags**(3)* for computing access
+   decisions. The ***avc_netlink_\***(3)* functions can then be used to
+   detect policy change events. Auditing would need to be implemented
+   if required.
 
 Where performance is important when making policy decisions, then the
 ***selinux_status_open**(3)*, ***selinux_status_updated**(3)*,

[07/18] computing_access_decisions: Convert to markdown

Commit Message

Patch