Joe Nall wrote:
We have been using /etc/selinux/mls/setrans.conf files that use
multiple equivalent translations to support common aliases. For example:
s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU
s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU
s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU
s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR
s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR
s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR
This has the effect of mapping all of these labels to a common
context. This context maps back to the first translation
(CONFIDENTIAL//REL FU).
'semanage translation -a -T ...' has different behavior. When a
translation is added, it rewrites the file using the last (C O N F I D
E N T I A L RELEASABLE TO BAR) translation and deletes the other
translations. It also moves all of the comments to the top, moving
them away from the translation they are documenting.
Should we be using this many to one behavior to support aliases? Is it
broken in other ways that we have not discovered yet?
No I think this is fine, but the tool is probably broken.
joe
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
