Paul Moore <paul@xxxxxxxxxxxxxx> writes: > On Fri, Jul 10, 2020 at 3:14 AM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> v2: fixes patch description >> Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxxxx> > > Thanks for the patch, but just like any other project, it would be > nice to see a patch description here. You can also move the changelog > portion of the patch below a "--" delimiter so it doesn't get caught > up in the main description (changelogs aren't quite as useful once the > patch has been committed to the tree). Thanks. I will redo it > >> --- >> src/objects.md | 24 ++++++++++++++++++++++-- >> 1 file changed, 22 insertions(+), 2 deletions(-) > > ... > >> @@ -269,6 +275,20 @@ and manage their transition: >> >> `type_transition`, `role_transition` and `range_transition` >> >> +SELinux-aware applications can enforce a new label (with the policies > > As someone who is barely fluent in one language I hate to criticize > others when they are writing in their non-native language, but I think > this should be "policy's" not "policies". I appreciate these corrections and will apply that with a v3 > >> +approval of course) using the **libselinux** API functions. The >> +`process setexec`, `process setkeycreate` and `process setsockcreate` >> +access vectors can be used to allow subjects to label processes, >> +kernel keyrings, and sockets programmatically using the >> +***setexec**(3)*, ***setkeycreatecon**(3)* and >> +***setsockcreatecon**(3)* functions respectively, overriding >> +transition statements. >> + >> +The `kernel` and `unlabeled` **initial security identifiers** are used >> +to associate specified labels with subjects that were left unlabeled >> +due to initialization or with subjects that had their label >> +invalidated due to policy changes at runtime respectively. > > That looks like a good definition for "unlabeled", but it doesn't look > like you've defined the "kernel" isid? I did (note the "respectively") but maybe I wrote it down in a less than optimal way?: kernel: "are used to associate specified labels with subjects that were left unlabeled due to initialization" unlabeled: "(are used to associate specified labels) with subjects that had their label invalidated due to policy changes at runtime" > >> ### Object Reuse >> >> As GNU / Linux runs it creates instances of objects and manages the >> -- >> 2.27.0 -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
