KaiGai Kohei wrote: > Joshua Brindle wrote: > >> For symbol labeling purposes for policy access control we need to be able >> > > to look up symbol hierarchy relationships. I expect we'll do this by exporting > > the symbol hierarchy via selinuxfs. Does anyone have suggestions on what that > > should look like? Do we want to export additional information on the symbols > > at the same time? > > I noticed that userspace object manager also need an interface to get metadata > of types to support permissive domain. Currently, we don't have any interface > to know what domain should be handled as permissive domain. > > If "/selinux/access" can return the 6th value to show whether the given query > should be handled as permissive domain or not, it helps userspace object managers. > Why does a userspace object manager need to know if a domain is marked permissive? That should be hidden behind security_compute_av(). > It is undesirable for me to add a new interface to query whether the given domain > is permissive or not, because it cannot avoid atomicity matter. > > Thanks, > -- Eamon Walsh <ewalsh@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
