On Sat, 2011-09-24 at 18:05 -0400, David Windsor wrote: > On Fri, Sep 23, 2011 at 11:07 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > <snip> > > >> > >> level_default file fromsource; == MLS; > >> level_default file fromtarget; == MCS; > >> > >> Anyone want to step forward and implement? :^) > > > > Need to distinguish low vs high. In MLS, you want to inherit the low > > level of the source/subject/process. > > > > Also, do you want the MCS behavior for all types or selectively? For > > example, if a svirt_t:s0:c256,c387 process creates a file in a :s0 > > directory (is that even possible?), do you really want that file to > > be :s0? > > > > Couldn't you use a range_transition in this case to specify an > exception to the default behavior for category inheritance? > > AFAICS, using rules such as (user|role|type|level|range)_default, > we're only specifying default labeling behaviors for the different > fields of a context. More specific *_transition rules can exist in > policy that should override any defaults defined elsewhere. range_transition would only let you specify things like "When files are created by a process with domain D in a directory with type T, the range should be set to R.". Not rules of the form "Files created by processes in domain D1 should inherit their level from their creator while files created by processes in domain D2 should inherit their level from the parent directory." -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
