Tetsuo Handa wrote: > Omission of <$namespace> cannot imply that it remains in the same namespace, > for > "initialize_domain" is currently used (and should not be changed at least > within > TOMOYO 1.8.x) as a directive that causes transition to > "<current_namespace> /usr/bin/foo" domain. It is very strange that > > initialize_domain <$namespace> /usr/bin/foo from any > > transits to "<$namespace>" domain whereas > > initialize_domain /usr/bin/foo from any > > transits to "<current_namespace> /usr/bin/foo" domain. Therefore, > > initialize_domain <$namespace> /usr/bin/foo from any > > would have to transit to "<$namespace> /usr/bin/foo" domain rather than > "<$namespace>" domain. I think users want to start from "<$namespace>" domain.
Oops, yes I agree with you. >> Secondly, it implies that the directive is similar in action to >> "initialize_domain", which controls domain transition on program >> execution. > > I think "restart_domain" (or "reset_domain") can imply that the directive is > similar in action to "initialize_domain", which controls domain transition on > program execution. > > ... > > Since "task manual_domain_transition" and "auto_domain_transition=" can > transit > to other namespaces, it is natural for me that "restart_domain" can transit to > other namespaces. > > "initialize_domain /usr/sbin/httpd from any" is interpreted as > > the process will transit to "<current_namespace> /usr/sbin/httpd" domain if > /usr/sbin/httpd is executed from arbitrary domains in current namespace > > and "keep_domain /usr/sbin/httpd from any" is interpreted as > > the process will keep current domain if > /usr/sbin/httpd is executed from arbitrary domains in current namespace > > . "restart_domain /usr/sbin/httpd from any" will be interpreted as > > the process will transit to "</usr/sbin/httpd>" domain if > /usr/sbin/httpd is executed from arbitrary domains in current namespace Good points. Though I feel like there isn't enough differentiation in meaning between "initialize" and "restart". Perhaps transit is a better fit, and we already use a variant of the verb transit in "auto_domain_transition" and "task manual_domain_transition", both of which can also transit to different namespaces. _______________________________________________ tomoyo-dev-en mailing list tomoyo-dev-en@lists.sourceforge.jp http://lists.sourceforge.jp/mailman/listinfo/tomoyo-dev-en
