-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/27/2011 12:06 PM, Stephen Smalley wrote: > On Sat, 2011-09-24 at 18:05 -0400, David Windsor wrote: >> On Fri, Sep 23, 2011 at 11:07 AM, Stephen Smalley >> <sds@xxxxxxxxxxxxx> wrote: >> >> <snip> >> >>>> >>>> level_default file fromsource; == MLS; level_default file >>>> fromtarget; == MCS; >>>> >>>> Anyone want to step forward and implement? :^) >>> >>> Need to distinguish low vs high. In MLS, you want to inherit >>> the low level of the source/subject/process. >>> >>> Also, do you want the MCS behavior for all types or >>> selectively? For example, if a svirt_t:s0:c256,c387 process >>> creates a file in a :s0 directory (is that even possible?), do >>> you really want that file to be :s0? >>> >> >> Couldn't you use a range_transition in this case to specify an >> exception to the default behavior for category inheritance? >> >> AFAICS, using rules such as >> (user|role|type|level|range)_default, we're only specifying >> default labeling behaviors for the different fields of a context. >> More specific *_transition rules can exist in policy that should >> override any defaults defined elsewhere. > > range_transition would only let you specify things like "When files > are created by a process with domain D in a directory with type T, > the range should be set to R.". Not rules of the form "Files > created by processes in domain D1 should inherit their level from > their creator while files created by processes in domain D2 should > inherit their level from the parent directory." > I think this is a different more advanced language construct, that frankly I don't care about right now. Implement it in CIL. I have a problem I need to implement in F17/F18 time frame in order for it to make RHEL7. I only need to change the default for MCS to from level_default file fromsource; == MLS; to level_default file fromtarget; == MCS; I can not wait for the theoretical best fix that never comes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6CEjwACgkQrlYvE4MpobNN/gCghV2LwrfGce50FdX7Iel0Z8pO 1IoAn3Vf7sXxz9qFsEnpoZQT6yIcjVUH =sOyu -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
