-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2010 10:25 AM, Karl MacMillan wrote: I understand, although I don't agree with penalizying because you match on an attribute, Currently if I wrote this interface the way I want, with just the attribute your algorithm would not find it at all. files_read_etc_files to me means match all config files in the /etc directory, just because some random application decides to change the context of /etc/hostname to etc_runtime_t or net_conf_t, we should not need to change all domains that are supposed to read generic files in /etc. Especially when I don't even need to read them. I would argue that allow X etc_t:file read; allow X configfile:file read; Should be weighted equivalently if etc_t is a configfile or only slightly heavier, and just because etc_runtime_t or some other random types are configfile does not mean we need to add weight. But when the attribute adds more weight then "write" does, I think the algorithm is broken. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvYVY4ACgkQrlYvE4MpobOKSgCgguxc5xhYFpW1GGSnN4N+6v/Z qUsAoOjz7qSp8kiDHBUN2SYoKWsZfTNK =Ubgb -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
