On Tue, 2006-10-31 at 13:33 -0500, James Antill wrote: > On Tue, 2006-10-31 at 11:21 -0500, Stephen Smalley wrote: > > > No. The ability to make the security call is controlled by the > > compute_av permission on the security class, and isn't based on the > > individual contexts passed as arguments. That would be: > > allow $1 security_t:security compute_av; > > which has an interface: > > selinux_compute_access_vector($1) > > which is already in authlogin.if. No change required for allowing the > > call to happen. > > > > What you are instead trying to do is to define the _result_ of that > > compute_av call based on its arguments, not whether it can be made by > > login. So the TE rule would go into userdomain.if and be of the form: > > allow $1 self:context <permissionname>; > > Ok, I think I have it now. Both patches are at (with the renamed > permission): > > http://people.redhat.com/jantill/pam-config_role/upstream/
They look sane to me. Please post them in separate messages, preferably inline, and cc Chris PeBenito on the policy patch. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
