On Fri, 2008-06-13 at 19:39 +0900, KaiGai Kohei wrote: > Christopher J. PeBenito wrote: > > I merged this, but I was thinking about some revisions that we should > > consider: > > > > 1. in the unpriv client interface, we have these type transitions: > > type_transition $1 sepgsql_database_type:db_table sepgsql_table_t; > > type_transition $1 sepgsql_database_type:db_procedure sepgsql_proc_t; > > type_transition $1 sepgsql_database_type:db_blob sepgsql_blob_t; > > > > The client can only access the system database, not all databases, so it > > seems that sepgsql_database_type should be replaced with sepgsql_db_t. > > I agreed. > > Currently, sepgsql_db_t is the only type of sepgsql_database_type > except for unlabeled_t, however, these type_transition can prevent > user to add new database type and new type_transition rules. I merged this part of the patch. > > 2. the stored procedure type names have been in the back of my mind for > > long time but I couldn't come up with a good naming scheme. This > > especially bugged me for the sepgsql_trusted_domain_t and > > sepgsql_trusted_proc_t. Why not just go with what we do with regular > > domains and executables: sepgsql_trusted_proc_t and > > sepgsql_trusted_proc_exec_t? > > I don't have a clear reason for the naming of them. > sepgsql_trusted_proc_t and sepgsql_trusted_proc_exec_t are more suitable > for the purpose, I also think. It seems that we should also rename $1_sepgsql_proc_t for consistency. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
