On Mon, Aug 26, 2013 at 10:15 AM, Stephen Smalley <[email protected]> wrote:
> On 08/26/2013 01:03 PM, William Roberts wrote: > > On Mon, Aug 26, 2013 at 10:00 AM, Stephen Smalley <[email protected]> > wrote: > > > >> On 08/26/2013 12:56 PM, William Roberts wrote: > >>> On Mon, Aug 26, 2013 at 9:22 AM, William Roberts > >>>> Implementation 2: > >>>> We add a new sens category > >>>> > >>> Id be more ok with this approach if level was cats. And adding cats now > >>> would be an additional thing to remember based on history. > >>> sens=s0 cats=app is a bit more clear then sens=s1 level=app > >> > >> I think you mean if levelFrom= was catsFrom= (or categoriesFrom=). > >> If you want to effectively introduce an alias into the parser so that it > >> accepts either categoriesFrom= or levelFrom= and switch the sample > >> seapp_contexts over to using categoriesFrom=, then I am fine with that. > >> That's no different than what we did with the levelFromUid=true|false > >> to levelFrom=none|app|user|all transition. > >> > >> Yes, but my underlying problem with this, is looking back, i think level > > could have just been smarter. since a true level (sens + cat) is a > > wellformed and well standardized, the logic to handle it is simple. > > Really? All of the below are valid values for level= > > s0 > s0:c0 > s0:c0,c2 > s0:c0.c10 == s0:c0,c1,c2,c3,c4,c5,c6,c7,c8,c9,c10 > s0:c0.c10,c255 > s0-s15 (a range; lowlevel-highlevel) > s0-s15:c0,c2 > s0:c0-s15:c0 > s0:c0,c2-s15:c0.c1024 > > It gets a bit messy to parse them. > mcstransd in Fedora/RHEL is likely an example if you want to look at one. > Looks like both implementations fall short of building weird strings... Josh chimed in with appending a category, what if you specified level and levelFrom, it just did a simple concatenation? level + levefrom = cats? -- Respectfully, William C Roberts
