On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote: > On Tue, Jul 09, 2019 at 07:22:03PM +0300, Jarkko Sakkinen wrote: > > On Mon, Jul 08, 2019 at 10:29:30AM -0700, Sean Christopherson wrote: > > > On Fri, Jul 05, 2019 at 07:05:49PM +0300, Jarkko Sakkinen wrote: > > > > On Wed, Jun 19, 2019 at 03:23:49PM -0700, Sean Christopherson wrote: > > > > > > > > I still don't get why we need this whole mess and do not simply admit > > > > that there are two distinct roles: > > > > > > > > 1. Creator > > > > 2. User > > > > > > Because SELinux has existing concepts of EXECMEM and EXECMOD. > > > > What is the official documentation for those? I've only found some > > explanations from discussions and some RHEL sysadmin guides. > > No clue. My knowledge was gleaned from the code and from Stephen's > feedback. OK, thanks for elaboration. Got nailed some details I was missing :-) Anyway, to accompany your code changes I'm eager to document this not least because it is a good peer test that this all make sense (you cannot "unit test" a security model so that is the next best thing). Still, we need a documentation reference to reflect the narrative for these changes, seriously. It cannot be that SELinux is widely deployed and it completely lacks documentation for its basic objects, can it? /Jarkko
