On Tue, 2008-02-19 at 17:13 -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > s2:c0-s2:c0.c10 and s2:c9.c10 > > > IE How do I do the arbitration/dominance math in Code? (cc'ing the list) You can model it as a permission check between the two contexts, and then write a MLS constraint in policy that requires dominance or whatever relationship you want. Then it is just an avc_has_perm call. Same thing that we did for permission check in the pam_selinux code to verify that the user's level is within his range. Or what we talked about for applying a permission check in mcstransd to see if the requestor is allowed to translate the context. Not sure that ever got implemented in mcstransd though? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
