On 4/20/09 1:21 PM, "Eric Paris" <eparis@xxxxxxxxxx> wrote: <snip> > > I'm going to spend a couple minutes and try to prototype an all in > kernel solution such that on access() we will check the permission: > > allow process_t file_t:file read > > if there is a dontaudit rule for EITHER "read" or "access_read" we will > NOT print an avc denial. > > on the actual usage we will ONLY check for the "read" dontaudit. > That sounds like a better solution than anything we've talked about so far. It would mean the policy author would only have to worry about the access_* perms if they cared about the issue they're designed to solve. Hopefully you can find an acceptable way to pull it off in the kernel. I'm rooting for you! Chad -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
