On Thu, 2010-03-25 at 14:17 -0400, Stephen Smalley wrote: > It seems to me that it really should only get the low/current level of > the peer, not the full range, e.g. mls_context_cpy_low(), so that we > don't turn a connection from a ranged subject into a fully ranged > socket? Is that even the best, by itself? We would still be in the same situation except now we would have a random virtual machine svirt_t:s3:c156 trying to read/write to a socket with the label: svirt_t:s0:c0 since libvirtd_t is going to pretty much always be running: libvirtd_t:s0-s15:c0-1023 If we have to go that way, do we have some sort of crazy, copy_mls_level_subset() or other such foolishness? *smile* -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
