|
Hi Russell, > Subject: RE: [v2 PATCH 0/3] SELinux: separate socket type than its creator > From: russell@xxxxxxxxxxxx > Date: Fri, 11 Mar 2011 15:10:32 +1100 > To: harrytaurus2002@xxxxxxxxxxx > CC: selinux@xxxxxxxxxxxxx > > The constraints for MLS can have rules excluding specified types or attributes. We could have an attribute for domins whos unix sockets should be excluded from MLS. Well, I think the current mlstrustedobject attribute serves nothing but this purpose, does it :-) > It seems to me that the only real benefit to allowing a Unix socket to have a different type to the domain that created it is for a domain that creates multiple sockets with different types. > > Maybe this would be good for systemd. Yes, you are right on this point, socket labeling could allow sockets of different classes created by the same one domain have different types if that is desirable, which is a desir! able flexibility I think. Thanks for your comments! Best regards, Harry > -- > My blog http://etbe.coker.com.au > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
