Kohei Kaigai wrote:
<snip>
trusted procedures are not processes and should not use the process object class.
We may need to have an upper meta-level viewpoint.
When a subject entity appeared in operating system, we call it "process".
When a subject entity appeared in database system, we call it something like "db_client".
And, a subject entity appeared in operating system tries to access database objects,
its security label is dealt with "db_client" class. Hmm.
It isn't that surprising. When processes create sockets they are labeled as the
process label by default, files in /proc/<pid> are labeled as the process label.
Just because the label is the same doesn't mean the object class is.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
