On Wed, Sep 19, 2012 at 12:42 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Tue, 2012-09-18 at 09:40 -0400, Stephen Smalley wrote:So the attached patch does the first part above - unify the seapp
> I think the setcon and setfilecon2 code could be further unified so that
> the entire logic for matching an entry is encapsulated in a single
> helper function that takes a bool argument indicating whether it is
> looking for a domain or type entry.
context lookup logic from setcon and setfilecon2, without making any
changes to how the username mapping is performed.
> We might also want to reconsider how we map the app usernames to a
> string for seapp_contexts. I just remapped the new format to the app_
> prefix so that there would be no breakage going from ICS to JB, but it
> is a bit misleading.
>
> I also think we might want to revisit how we compute the level.
> Rather than only setting a single category, we might want to compute a
> category pair based on the UID to increase the number of possible unique
> levels and avoid any risk that we will run out of unique levels for a
> large number of installed apps. For comparison, libvirt assigns a
> randomly selected category pair for virtual machines and I heard
> recently that OpenShift is mapping UIDs to category pairs.
>
--
Stephen Smalley
National Security Agency
Respectfully,
William C Roberts
