MCS printing
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 15 16:24:06 UTC 2006
Matt Anderson wrote:
> I've been working on adding SELinux labeling support to the CUPS service
> with the goal of meeting all the requirements of an LSPP evaluation.
> Even though my goal is a system running the MLS policy I realize that
> many users will be using targeted policy and could be interested in
> these features.
>
> Specifically one addition is forced page labels. On an MLS system its
> common to see SystemLow-SystemHigh added to the top and bottom of each
> printed page, corresponding to the user's level when they sent the job.
> For a targeted system there is no level, so "(null)" was being added.
> If the system was configured for compartments however that would be
> printed, "Reception" or "Lab" could be applied to each page. This is a
> configurable option, and not enabled by default, but it seems like it
> could be useful for some MCS users. My main question is in the case of
> no compartments would you want a marker saying that there wasn't a
> compartment, or should the label be left off? Is there any MCS specific
> things I should be aware of that I might otherwise overlook coming at
> this from an MLS direction?
>
>
You should not have a label if there is none. So s0=="".
For MCS we really want the label of the file you are printing, not the
level that you are running at.
So if I am running
id -Z
user_u:system_r:unconfined_t:s0-PatientRecord,Unclassified
But I print a document labeled PatientRecord, it should print PatientRecord.
Not PatientRecord,Unclassified
> thanks
> -matt
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the fedora-selinux-list
mailing list