Matt Anderson wrote:
I've been working on adding SELinux labeling support to the CUPS service
with the goal of meeting all the requirements of an LSPP evaluation.
Even though my goal is a system running the MLS policy I realize that
many users will be using targeted policy and could be interested in
these features.
Specifically one addition is forced page labels. On an MLS system its
common to see SystemLow-SystemHigh added to the top and bottom of each
printed page, corresponding to the user's level when they sent the job.
For a targeted system there is no level, so "(null)" was being added.
If the system was configured for compartments however that would be
printed, "Reception" or "Lab" could be applied to each page. This is a
configurable option, and not enabled by default, but it seems like it
could be useful for some MCS users. My main question is in the case of
no compartments would you want a marker saying that there wasn't a
compartment, or should the label be left off? Is there any MCS specific
things I should be aware of that I might otherwise overlook coming at
this from an MLS direction?
You should not have a label if there is none. So s0=="".
For MCS we really want the label of the file you are printing, not the
level that you are running at.
So if I am running
id -Z
user_u:system_r:unconfined_t:s0-PatientRecord,Unclassified
But I print a document labeled PatientRecord, it should print PatientRecord.
Not PatientRecord,Unclassified
thanks
-matt
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
