On Aug 26, 2013 4:41 PM, "Stephen Smalley" <[email protected]> wrote: > > On 08/26/2013 04:03 PM, William Roberts wrote: > > On Mon, Aug 26, 2013 at 10:15 AM, Stephen Smalley <[email protected]> wrote: > > > >> On 08/26/2013 01:03 PM, William Roberts wrote: > >>> On Mon, Aug 26, 2013 at 10:00 AM, Stephen Smalley <[email protected]> > >> wrote: > >>> > >>>> On 08/26/2013 12:56 PM, William Roberts wrote: > >>>>> On Mon, Aug 26, 2013 at 9:22 AM, William Roberts > >>>>>> Implementation 2: > >>>>>> We add a new sens category > >>>>>> > >>>>> Id be more ok with this approach if level was cats. And adding cats now > >>>>> would be an additional thing to remember based on history. > >>>>> sens=s0 cats=app is a bit more clear then sens=s1 level=app > >>>> > >>>> I think you mean if levelFrom= was catsFrom= (or categoriesFrom=). > >>>> If you want to effectively introduce an alias into the parser so that it > >>>> accepts either categoriesFrom= or levelFrom= and switch the sample > >>>> seapp_contexts over to using categoriesFrom=, then I am fine with that. > >>>> That's no different than what we did with the levelFromUid=true|false > >>>> to levelFrom=none|app|user|all transition. > >>>> > >>>> Yes, but my underlying problem with this, is looking back, i think level > >>> could have just been smarter. since a true level (sens + cat) is a > >>> wellformed and well standardized, the logic to handle it is simple. > >> > >> Really? All of the below are valid values for level= > >> > >> s0 > >> s0:c0 > >> s0:c0,c2 > >> s0:c0.c10 == s0:c0,c1,c2,c3,c4,c5,c6,c7,c8,c9,c10 > >> s0:c0.c10,c255 > >> s0-s15 (a range; lowlevel-highlevel) > >> s0-s15:c0,c2 > >> s0:c0-s15:c0 > >> s0:c0,c2-s15:c0.c1024 > >> > >> It gets a bit messy to parse them. > >> mcstransd in Fedora/RHEL is likely an example if you want to look at one. > >> > > > > Looks like both implementations fall short of building weird strings... > > > > > > Josh chimed in with appending a category, what if you specified level and > > levelFrom, it just did a simple concatenation? > > level + levefrom = cats? > > I think I'd rather have an explicit extraCategories= output selector. > But you'd need to expand the number of categories to provide a range > that is not ever used by the levelFrom= code to ensure no conflicts.
Yeah... I'm still not keen on adding an extra output selector. > And some caution is advised there; due to some inefficiency in the > representation, significant increases in the number of categories can > have a non-trivial affect on policy size. > > Yes I've seen this before. I think I'm just going to add a wildcard support to level... Something like all %a get replaced with appid, etc.
