On Tue, 2011-10-18 at 18:07 -0400, David Windsor wrote: > My client truncated my earlier message. > > Is per-object granularity sufficient, or would a tuple of > (user/role/type, object) be a better key for indexing these rules? > This makes sense for the role and type fields of a context, but I'm > not so sure about the user field. > > Examples: > > default_user NetworkManager_t dir_file_class process; > default_role NetworkManager_t dir_file_class process; > default_type NetworkManager_t dir_file_class process; > > I'm just unsure that per-object granularity is sufficient. Thoughts? We're trying to introduce the ability to configure the fallback default for labeling behavior when no *_transition rule matches. Per-object-class should be sufficient for that purpose. If we want to introduce more general _transition rules we can do that separately. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
