|
Hi Stephen, [cut] > > > > Suppose we have below role_transition rule: > > > > role_transition sysadm_r user_home_t : dir sysadm_r; > > > > If roletr->type compared with newcontext.type, then it means that if > > sysadm_r is creating an directory object with type equals to > > user_home_t, then the directory object will have a role of sysadm_r. > > > > However, if roletr->type is compared with tcontext->type, then the > > semantics would be changed to that any objects of any class created by > > sysadm_r in a directory object of the user_home_t type would have > > their role set to sysadm_r, since in selinux_inode_init_security(), > > dir->i_security is passed as tsid always. > > > > I guess the former approach could have much refined control on the > > objects role, if objects are of different types, ! then they could > > assume different roles, not necessarily all f! iles in one directory > > have to share the same role. > > > > What you thi nk? > > Compare with type_transition or range_transition semantics. > type_transition sysadm_t tmp_t : sock_file sysadm_tmp_t; > means when a sysadm_t (scontext->type) process creates a socket file > (tclass) object in a directory labeled tmp_t (tcontext->type), then > label the socket file with sysadm_tmp_t (newcontext->type). > > type_transition sysadm_t sshd_exec_t:process sshd_t; > means when a sysadm_t (scontext->type) process executes a sshd_exec_t > (tcontext->type) file, then label the new process (tclass) with sshd_t > (newcontext->type). > > See how they are consistently applied regardless of whether it is a > process or object class? > Thanks for taking the patience to ! correct me. Now I've got it - for the newly created objects, the type field in both role_transition and type_transition rules are always the parent directory type, and we can still use the class field in both rules to specify what class objects would the rule be applied to, so I am now clear that there won't be such a thing that "any object of any class in the same parent directory would have the same role", please find out in the tests I've done. Best regards, Harry > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. |
