On Fri, Jul 10, 2020 at 3:14 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > v2: fixes patch description > Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> Thanks for the patch, but just like any other project, it would be nice to see a patch description here. You can also move the changelog portion of the patch below a "--" delimiter so it doesn't get caught up in the main description (changelogs aren't quite as useful once the patch has been committed to the tree). > --- > src/objects.md | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) ... > @@ -269,6 +275,20 @@ and manage their transition: > > `type_transition`, `role_transition` and `range_transition` > > +SELinux-aware applications can enforce a new label (with the policies As someone who is barely fluent in one language I hate to criticize others when they are writing in their non-native language, but I think this should be "policy's" not "policies". > +approval of course) using the **libselinux** API functions. The > +`process setexec`, `process setkeycreate` and `process setsockcreate` > +access vectors can be used to allow subjects to label processes, > +kernel keyrings, and sockets programmatically using the > +***setexec**(3)*, ***setkeycreatecon**(3)* and > +***setsockcreatecon**(3)* functions respectively, overriding > +transition statements. > + > +The `kernel` and `unlabeled` **initial security identifiers** are used > +to associate specified labels with subjects that were left unlabeled > +due to initialization or with subjects that had their label > +invalidated due to policy changes at runtime respectively. That looks like a good definition for "unlabeled", but it doesn't look like you've defined the "kernel" isid? > ### Object Reuse > > As GNU / Linux runs it creates instances of objects and manages the > -- > 2.27.0 -- paul moore www.paul-moore.com
