On Wed, Jul 10, 2019 at 11:19:30PM +0300, Jarkko Sakkinen wrote: > On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote: > > On Tue, Jul 09, 2019 at 07:22:03PM +0300, Jarkko Sakkinen wrote: > > > On Mon, Jul 08, 2019 at 10:29:30AM -0700, Sean Christopherson wrote: > > > > On Fri, Jul 05, 2019 at 07:05:49PM +0300, Jarkko Sakkinen wrote: > > > > > On Wed, Jun 19, 2019 at 03:23:49PM -0700, Sean Christopherson wrote: > > > > > > > > > > I still don't get why we need this whole mess and do not simply admit > > > > > that there are two distinct roles: > > > > > > > > > > 1. Creator > > > > > 2. User > > > > > > > > Because SELinux has existing concepts of EXECMEM and EXECMOD. > > > > > > What is the official documentation for those? I've only found some > > > explanations from discussions and some RHEL sysadmin guides. > > > > No clue. My knowledge was gleaned from the code and from Stephen's > > feedback. > > OK, thanks for elaboration. Got nailed some details I was missing :-) > > Anyway, to accompany your code changes I'm eager to document this not > least because it is a good peer test that this all make sense (you > cannot "unit test" a security model so that is the next best thing). > > Still, we need a documentation reference to reflect the narrative > for these changes, seriously. It cannot be that SELinux is widely > deployed and it completely lacks documentation for its basic > objects, can it? The vast majority of documentation I've found is on *using* SELinux, e.g. writing policies and whatnot. I haven't found anything on its internal details, although I admitedly haven't looked all that hard.
