[redhat-lspp] Re: mcstransd question
Stephen Smalley
sds at tycho.nsa.gov
Mon Oct 2 20:40:13 UTC 2006
On Mon, 2006-10-02 at 15:01 -0500, Darrel Goeddel wrote:
> > On the mcstransd patch, it would be more flexible if we introduced a
> > separate class and permission for translations so that one could e.g.
> > configure translation-related policy differently than the file access
> > policy, although that naturally requires a patch to define the
> > class/perm for refpolicy and a patch for libselinux for the regenerated
> > headers.
>
> Also agreed... We can't really assume that we are translating a file context.
> Something that would be translating process domains would then need policy to
> allow file:getattr for domain types, and that would look weird.
As /proc/pid entries are labeled with the process context, it would also
have side effects.
> Anyway, are
> you thinking about something like:
>
> - create a class "context" with permission "translate"
> - put in an mlsconstraint that says "h1 dom h2" for the above permission
>
> Now what for the TE... I don't see an easy way to allow a domain to translate
> all contexts very easily. We can't say "allow foo_t *:context translate". What
> I'd really like is no TE involvement whatsoever (sorry bout that), along the
> lines of "allow * *:context translate;". Is there a nice set of attributes that
> should cover all types (cc'd Chris in case he has a quick answer)?
Interfaces for allowing translate of all domains and all file types
would cover the vast majority of cases. If we further have userspace
object managers like dbusd and X disable translation altogether, then
they won't have to deal with translation of the contexts they handle for
their own abstractions.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list