On Mon, 2006-10-02 at 15:06 -0400, Linda Knippers wrote: > Stephen Smalley wrote: > > For the translation daemon itself, you might want a libselinux function > > that lets you disable all translations (i.e. set a flag that is checked > > on entry by selinux_trans_to_raw_context() and > > selinux_raw_to_trans_context() and handled in the same manner as the ! > > mls_enabled case). Then the translation daemon could just call any > > libselinux function without needing to worry about accidentally > > triggering a communication to itself. > > I threw together a couple of patches. Is this what you had in mind?
Essentially, yes. I'd call it selinux_set_translation() instead, since it can be used to subsequently re-enable them as well. The libselinux patch needs to go to selinux list. On the mcstransd patch, it would be more flexible if we introduced a separate class and permission for translations so that one could e.g. configure translation-related policy differently than the file access policy, although that naturally requires a patch to define the class/perm for refpolicy and a patch for libselinux for the regenerated headers. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
