Lines Matching refs:that
8 control that includes simplicity in its primary design goals.
23 works best with file systems that support extended attributes,
29 access to systems that use them as Smack does.
66 The extended attributes that Smack uses are:
71 of the process that created it.
73 The Smack label of a process that execs a program file with
83 the Smack rule (more below) that permitted the write access
169 permissions that are not allowed. The string "r-x--" would
181 permissions that are not allowed. The string "r-x--" would
204 that have Smack write access to the host label. All packets
216 0 - default: this is the policy that relies on Smack access rules.
219 1 - exact: this is the policy that limits PTRACE_ATTACH. Attach is
223 exception that it can't be overridden with CAP_SYS_PTRACE.
226 rules with that subject label.
230 Thereafter, accesses that involve that label will be logged and
231 the access permitted if it wouldn't be otherwise. Note that this
262 or programs that have access to pieces of data.
276 This scheme organizes users, programs, and data into domains that are
297 pick up. There are four terms that are used in a specific way and that are
310 Label: Data that identifies the Mandatory Access Control
314 community. There are also some terms from Linux that are likely to crop up:
316 Capability: A task that possesses a capability has permission to
318 the specific capability. A task that possesses one or more
322 Privilege: A task that is allowed to violate the system security
337 Single character labels using special characters, that being anything
380 6. Any access requested that is explicitly defined in the loaded
402 of access allowed. The access specification is searched for letters that
405 a: indicates that append access should be granted.
406 r: indicates that read access should be granted.
407 w: indicates that write access should be granted.
408 x: indicates that execute access should be granted.
409 t: indicates that the rule requests transmutation.
410 b: indicates that the rule should be reported for bring-up.
431 with the same label specifying a rule for that case is pointless. Only
434 as "ar". A lone dash is used to specify that no access should be allowed.
446 and devices require access permissions that closely match those used by mode
451 directory. It is possible that a user may be able to see that a file exists
457 access rule that allows a process to create an object in that directory
458 includes 't' access the label assigned to the new object will be that
468 them is the same Smack label that the task would use for its own access
471 and writing. Creating a new task is an internal operation that results in two
475 one process to another requires that the sender have write access to the
512 packet received is expected to have a CIPSO tag that identifies the label and
514 is delivered a check is made to determine that a subject with the label on the
515 packet has write access to the receiving process and if that is not the case
523 intervention. Unlabeled packets that come into the system will be given the
526 Smack requires configuration in the case where packets from a system that is
527 not Smack that speaks CIPSO may be encountered. Usually this will be a Trusted
531 of systems that use compatible labeling schemes, and the DOI specified on the
532 Smack system must match that of the remote system or packets will be
559 CIPSO level is used to indicate that the category set passed in the packet is
566 There are two attributes that are associated with sockets. These attributes
571 program that will enforce policy may set this to the star label.
579 You will often find that your labeled application has to talk to the outside,
585 It means that your application will have unlabeled access to @IP1 if it has
609 There are three sorts of applications that will run on a Smack system. How an
628 These are special programs that not only know about Smack, but participate in
629 the enforcement of system policy. In most cases these are the programs that
630 set up user sessions. There are also network services that provide information
672 smackfsdef=label: specifies the label to give files that lack
678 smackfshat=label: specifies a label that must have read access to
699 that triggered the event, plus other pairs depending on the type of event
704 Bringup mode provides logging features that can make application
707 mode is enabled accesses that succeed due to rules marked with the "b"
710 tracking of which rules actual get used for that label.
713 a label to /sys/fs/smackfs/unconfined makes subjects with that label
714 able to access any object, and objects with that label accessible to
715 all subjects. Any access that is granted because a label is unconfined