On Thu, 2014-01-09 at 16:53 -0500, Daniel J Walsh wrote: > We would like to change > > sid file_labels gen_context(system_u:object_r:unlabeled_t,s0) > > to something like > > sid file_labels gen_context(system_u:object_r:invalid_label_t,s0) I think the file_labels isid is deprecated. Do you mean the unlabeled isid instead? But yes i think i also suggested this a couple times. Add a new isid "invalid" Then leave the unlabeled isid for netlabel ( i think netlabel also uses the unlabeled isid ) That way we can also get rid of the inconsistency where "unlabeled" nodes are labeled with the object_r role. (nodes are active entities so i would argue the system_r role would be more sensible for nodes) Then maybe while we are at it also see if we can fix that isid ordering issue. If one in ones policy messes up the ordering of the isid context specs one gets all kinds of weird behavior. Maybe we can then also really get rid of those deprecated isids? They've been marked deprecated for ages, but as soon as you remove them from policy ; shed hits the fan. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
