-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Xavier Toth wrote:
> On Wed, Apr 9, 2008 at 1:28 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>> On Wed, 2008-04-09 at 14:13 -0400, Eamon Walsh wrote:
>> > Xavier Toth wrote:
>> > > Also what about the mlsconstrain(s):
>> > >
>> > > #
>> > > # MLS policy for the x_application_data class
>> > > #
>> > > mlsconstrain x_application_data { paste_after_confirm }
>> > > (( l1 eq l2 ) or
>> > > (( t1 == mlsxwinwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
>> > > ( t1 == mlsxwinwrite ));
>> > >
>> > >
>> > > ??
>> > >
>> >
>> > I dunno. Configure to suit your environment. This is for write-downs,
>> > correct? If so then you probably don't want any constraints, since
>> > regular "paste" should succeed in the write-up case (in which case no
>> > confirmation is required), and the point of this permission is to allow
>> > write downs.
>> >
>> > >
>> > > On Tue, Apr 8, 2008 at 1:50 PM, Xavier Toth <txtoth@xxxxxxxxx> wrote:
>> > >
>> > >> I'd prefer copy instead cut.
>> > >>
>> >
>> > This is fine.
>> >
>> > My work on the XCB Python binding is coming along OK. I see that you
>> > are working on Python bindings for the userspace AVC. That's fine, but
>> > you could probably get away with not using the AVC in the selection
>> > manager. You could simply look up the permission and class values in
>> > /selinux, then use security_compute_create for permission checking.
>> > Since the selection manager is driven by user clicking, performance
>> > shouldn't be that big of a deal.
>>
>> security_compute_av().
>> But then he loses out on the libselinux infrastructure for things like
>> permissive mode, mapping the class/perm values internally for him, etc.
>> I think using the AVC interface is best whenever possible.
>>
>>
>
> This is what I'd prefer also and I was hoping Dan would add the avc
> header so that the avc interface bindings would get built into
> _selinux.so.
>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
Most of the avc.h will not work without a lot of work. Which interfaces
do you need? If the interfaces take a struct, we probably would need to
write a lot of binding code.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkf+RbgACgkQrlYvE4MpobOwlgCggooBGCaUN1IHv54VdDhrYSxe
HokAoMGbjUvRsoFdGVOgVcUkBw0r+6NW
=ssmU
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
