On Mon, 2006-10-02 at 15:01 -0500, Darrel Goeddel wrote: > > On the mcstransd patch, it would be more flexible if we introduced a > > separate class and permission for translations so that one could e.g. > > configure translation-related policy differently than the file access > > policy, although that naturally requires a patch to define the > > class/perm for refpolicy and a patch for libselinux for the regenerated > > headers. > > Also agreed... We can't really assume that we are translating a file context. > Something that would be translating process domains would then need policy to > allow file:getattr for domain types, and that would look weird.
As /proc/pid entries are labeled with the process context, it would also have side effects. > Anyway, are > you thinking about something like: > > - create a class "context" with permission "translate" > - put in an mlsconstraint that says "h1 dom h2" for the above permission > > Now what for the TE... I don't see an easy way to allow a domain to translate > all contexts very easily. We can't say "allow foo_t *:context translate". > What > I'd really like is no TE involvement whatsoever (sorry bout that), along the > lines of "allow * *:context translate;". Is there a nice set of attributes > that > should cover all types (cc'd Chris in case he has a quick answer)? Interfaces for allowing translate of all domains and all file types would cover the vast majority of cases. If we further have userspace object managers like dbusd and X disable translation altogether, then they won't have to deal with translation of the contexts they handle for their own abstractions. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
