Christopher J. PeBenito wrote: >>> 2. the stored procedure type names have been in the back of my mind for >>> long time but I couldn't come up with a good naming scheme. This >>> especially bugged me for the sepgsql_trusted_domain_t and >>> sepgsql_trusted_proc_t. Why not just go with what we do with regular >>> domains and executables: sepgsql_trusted_proc_t and >>> sepgsql_trusted_proc_exec_t? >> I don't have a clear reason for the naming of them. >> sepgsql_trusted_proc_t and sepgsql_trusted_proc_exec_t are more suitable >> for the purpose, I also think. > > It seems that we should also rename $1_sepgsql_proc_t for consistency. Sorry for late reply. At first, $1_sepgsql_proc_t lost the term of "trusted", so its name does not shows its purpose. And, is there any differences between user_sepgsql_proc_t and staff_sepgsql_proc_t? If you indend this idea enables end-users to extend their policy of $1_sepgsql_proc_t by security module, I also think it is a good idea, even if there is no differences in the default. But trusted procedure works as an unconfined database domain. There is no margin to customize except for MLS/MCS. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
