On Fri, Sep 23, 2011 at 11:07 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: <snip> >> >> level_default file fromsource; == MLS; >> level_default file fromtarget; == MCS; >> >> Anyone want to step forward and implement? :^) > > Need to distinguish low vs high. In MLS, you want to inherit the low > level of the source/subject/process. > > Also, do you want the MCS behavior for all types or selectively? For > example, if a svirt_t:s0:c256,c387 process creates a file in a :s0 > directory (is that even possible?), do you really want that file to > be :s0? > Couldn't you use a range_transition in this case to specify an exception to the default behavior for category inheritance? AFAICS, using rules such as (user|role|type|level|range)_default, we're only specifying default labeling behaviors for the different fields of a context. More specific *_transition rules can exist in policy that should override any defaults defined elsewhere. Thanks, David > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. > -- PGP: 6141 5FFD 11AE 9844 153E F268 7C98 7268 6B19 6CC9 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
