On 05/13/2014 05:48 AM, dE wrote: > For a process's security context (user, role, type), there maybe a conflict in the policy. for e.g. for user user_u, access to the kernel's ring buffer may not be allowed, but for role role_r, it may be allowed. The same process will have user_u and role_r. > > So in case of conflicting permissions between user, role and type who's permission will the security server respect -- user's, role's or type's? First, obviously, the access has to be allowed via type enforcement allow rule. After that, the constraints can reduce the access. All of the constraints have to be passed for the end result to be allowed, regardless of what is involved in the constraint (user, role, etc.) There is no precedence in the constraints. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
