> > Directories are not ranged, but have to satisfy the constraint that > the directory contents must dominate the directory. To create a file > in a directory with a lower classification, the creating > process must > have the allowmacwrite privilege. Directory relabels are only > possible if the directory is empty. >
Doesn't this statement imply the directory is ranged from the label to SystemHigh? If a directory is U and a U and S process can write into it, I would consider this ranged. I know PitBull has ranged directories. Whether the maximum is SystemHigh or a maximum SL is merely an implementation detail. Back to the original question, on the desire of having multi-level objects I could probably go either way. -Chad -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
