Just some questions on these. On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote: > - FILE__ENCLAVE_EXECUTE: equivalent to FILE__EXECUTE, required to gain X > on an enclave page loaded from a regular file One thing that I have hard time to perceive is that whether the process or the target object has them. So would this be in the files extended attribute or does process need to possess this or both? > - PROCESS2__ENCLAVE_EXECDIRTY: hybrid of EXECMOD and EXECUTE+WRITE, > required to gain W->X on an enclave page Still puzzling with EXECMOD given that how it is documented in https://selinuxproject.org/page/ObjectClassesPerms. If anything in that document is out of date, would be nice if it was updated. > - PROCESS2__ENCLAVE_EXECANON: subset of EXECMEM, required to gain X on > an enclave page that is loaded from an > anonymous mapping > > - PROCESS2__ENCLAVE_MAPWX: subset of EXECMEM, required to gain WX on an > enclave page I guess these three belong to the process and are not attached to file. How in SELinux anyway process in the first place acquires any SELinux permissions? I guess getty or whatever login process can set its perms before setuid() et al somehow (I don't know how) because they run as root? /Jarkko
