On Tue, 2008-02-26 at 08:57 -0500, Stephen Smalley wrote: > On Tue, 2008-02-26 at 08:42 -0500, Christopher J. PeBenito wrote: > > On Tue, 2008-02-26 at 20:26 +1100, Russell Coker wrote: > > > On Tuesday 26 February 2008 07:17, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote: > > > > > > > This comes back to forthcoming effort for trying to use RBAC for role > > > > > separation. That would eliminate the structural complexity we see due > > > > > to using TE for the role separation > > > > > > > > Is work being done on this? I recall you said you were interested in > > > > taking on this task. > > > > > > Is this going to involve using roles on filesystem objects? If not then how > > > would you distinguish the files created by different roles? > > > > Yes, the plan is to use roles on objects. > > (note: requires a kernel change) Right, if you label a directory with a role other than object_r and create a file in it, the file will get object_r. Also theres some userland changes so login programs set the role on the terminal, newrole changes the role on the terminal, etc. Now that I think about it, that causes a problem for RHEL4 and even RHEL5 compatibility for upstream refpolicy. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
