On Tue, 2010-01-26 at 12:52 -0500, Stephen Smalley wrote: > Alternatively to spending time on documenting the current limitation, it > might be more interesting to try removing the restriction from the > SELinux kernel code and investigating what needs to be done within the > kernel to enable it to be done safely. Primarily this would mean: > - pushing the selinux_mls_enabled flag inside the policydb so that it > could be per-policydb (this is already the case in libsepol), > - in the non-MLS to MLS case, ensuring that the MLS fields of the > context for all existing entries in the sidtab are filled in with a > suitable default value, likely taken from one of the initial SIDs, > - in the MLS to non-MLS case, freeing any storage used by the MLS fields > in the context for all existing entries in the sidtab. FYI, both of the latter two items would be handled inside of ss/services.c:convert_context(). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
