On Fri, 28 May 2004 11:51:38 CDT, Bob Gustafson <bobgus@xxxxxxx> said: > >/datastore/mydata(/.*)? system_u:object_r:mysqld_db_t > >/datastore(/.*)? system_u:object_r:mysqld_db_t > > > > (Hint - what happens if there's a /datastore/otherstuff directory?) > Assuming that /datastore/mydata(/.*) is more restrictive than > /datastore(/.*), the testing probe could be a small program that 'looks > like' mysqld (assumes same roles with same selinux tags as mysqld) which > tries to access files in the 'crack' between /datastore/mydata and > /datastore. As part of the testing procedure, files could be dropped in the > 'crack' for this test program to access. Yes. However, you just forgot to verify that SAS still works when accessing its datasets in /datastore/otherstuff because it's labeled mysql_db_t instead of whatever it should have been for SAS... Or maybe it wasn't SAS, but Mathematica. Or was it that other app??? (Yes, it was a trick question to make a point....)
Attachment:
pgp3aJBYXv8NJ.pgp
Description: PGP signature
