Stephen Smalley wrote: > On Fri, 2008-09-19 at 10:07 -0400, Joshua Brindle wrote: >> For symbol labeling purposes for policy access control we need to be >> able to look up symbol hierarchy relationships. I expect we'll do this >> by exporting the symbol hierarchy via selinuxfs. Does anyone have >> suggestions on what that should look like? Do we want to export >> additional information on the symbols at the same time? > > I would have thought that the policy server would have its own internal > policydb that it could consult to check hierarchy relationships? > We want to avoid loading more policydb's since RAM usage and performance were issues with the expand-based access control. > In any event, if we were to export such info via selinuxfs, then yes, > we'd want to also export other information about the symbols, such as > the user role and level authorizations, so that that information could > be used by libselinux and we could ultimately deprecate /selinux/user > aka security_compute_user(). > So, something like /selinux/symbols/types/httpd_cgi_t bounds: httpd_t /selinux/symbols/users/user_u bounds: staff_u roles: user_r levels: s0-s0:c0.c128 ? or maybe /selinux/symbols/users/user_u/roles user_r /selinux/symbols/users/user_u/bounds staff_u ? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
