On Wed, 2007-09-19 at 11:09 +0200, Torbjørn Lindahl wrote: > I see. In that case I am not going to push this topic much further. > Thanks for your assistance! > > But wouldn't it be nice to have an allow mechanism in SELinux in which > I could grant access based on it's existing access. What I want to > achieve is to be able to add a rule like "If process can read etc_t, > then it can also read etc_foo_t" > > That would allow me to change context of individual files, and grant > access to them by process who already have etc_t, and I wouldn't have > to redefine almost the entire selinux context tree just to target a > few individual files in /etc for my app. A notion of type inheritance has been discussed previously on selinux list (the upstream list for general selinux discussion, as opposed to this list which is Fedora-specific), and has come up again recently. The devil of course is in the details... -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
