On Tue, Nov 22, 2011 at 2:39 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On Tue, 2011-11-22 at 14:37 -0500, Eric Paris wrote:
>> On Tue, Nov 22, 2011 at 2:25 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
>> > On Tue, 2011-11-22 at 13:59 -0500, Eric Paris wrote:
>> >> A month later and I'm finally back looking at this. I'm not certain
>> >> looking through the thread what your original suggestions were! I
>> >> don't see an example of the syntax you want to see. My best guess is
>> >> people would like to see:
>> >>
>> >> default_user [class_set] {source, target};
>> >> default_role [class_set] {source, target};
>> >> default_type [class_set] {source, target};
>> >> default_range [class_set] {source, target, lub};
>> >>
>> >> Is this right?
>> >
>> > I only gave example syntax for the user/role/type cases (in the earlier
>> > discussion I cited in the archives). For the MLS range, you need to
>> > distinguish low vs. high vs. full-range for source or target. If you
>> > want to be able to replace the current hardcoded logic in
>> > mls_compute_sid with configurations, you'd need to be able to express
>> > something like:
>> >
>> > # For processes or sockets, inherit the complete source range.
>> > default_range { process socket_class_set } source low-high;
>> >
>> > # For files, inherit only the low/current level of the source range.
>> > default_range dir_file_class_set source low;
>>
>> Are you suggesting we don't offer a lub option?
>
> I don't think we strictly need it in a first implementation. We do need
> the ability to distinguish inherit-full-range from inherit-low-level
> though.
I'm just trying to make sure the policy language is ok with it
assuming someone wants it. But i'm happy not doing it right now.
default_range { process socket_class_set } both lub;
Seems like it could work without too much trouble to the language.
Ok, I've got it!
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
