My client truncated my earlier message. Is per-object granularity sufficient, or would a tuple of (user/role/type, object) be a better key for indexing these rules? This makes sense for the role and type fields of a context, but I'm not so sure about the user field. Examples: default_user NetworkManager_t dir_file_class process; default_role NetworkManager_t dir_file_class process; default_type NetworkManager_t dir_file_class process; I'm just unsure that per-object granularity is sufficient. Thoughts? Thanks, David On Tue, Oct 18, 2011 at 8:58 AM, David Windsor <dwindsor@xxxxxxxxx> wrote: > "Christopher J. PeBenito" <cpebenito@xxxxxxxxxx> wrote: >> >> On 10/14/11 11:57, Daniel J Walsh wrote: >> > Eric and I have come up with the following syntax for this behaviour. >> > >> > default_trans level dir_file_class_set parent; >> >> I think we want this to be "range" instead of "level", since the field is >> actually a range. >> >> > default_trans user dir_file_class_set process; >> > default_trans role file parent; >> >> Isn't there a better set of tokens than this? Why not make it >> default_user, default_role, default_type, and default_range? Creating an >> object doesn't really imply a transition, so "trans" seems misleading. >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> www.tresys.com | oss.tresys.com > > Also, do we want to add the ability to specify a source type for default > transitions so that transitions can be controlled with more granularity than > on a per-object basis? For instance: > > default_user http -- PGP: 6141 5FFD 11AE 9844 153E F268 7C98 7268 6B19 6CC9 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
