On Wed, Jul 05, 2006 at 03:41:35PM -0500, Joe Nall wrote: > On the HP CMW, /dev/null has a WILDCARD label > > cmw:joe> lslevel /dev/null > /dev/null WILDCARD > > WILDCARD is really the absence of a label (literally a null pointer > in the API). This is equivalent to a SystemLow-SystemHigh range for > most applications.
The SELinux MLS policy supports trusted objects for this purpose, so this would not really require a ranged object. > Directories are not ranged, but have to satisfy the constraint that > the directory contents must dominate the directory. To create a file > in a directory with a lower classification, the creating process must > have the allowmacwrite privilege. Directory relabels are only > possible if the directory is empty. This gets back to the original question - is there a real need in the SELinux MLS policy for regular users to access multilevel objects other than specific exceptions for trusted objects? It would simplify analysis to get rid of them. -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
