more fine grained access in /etc

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 19 12:59:26 UTC 2007


On Wed, 2007-09-19 at 11:09 +0200, Torbjørn Lindahl wrote:
> I see. In that case I am not going to push this topic much further.
> Thanks for your assistance!
> 
> But wouldn't it be nice to have an allow mechanism in SELinux in which
> I could grant access based on it's existing access. What I want to
> achieve is to be able to add a rule like "If process can read etc_t,
> then it can also read etc_foo_t" 
> 
> That would allow me to change context of individual files, and grant
> access to them by process who already have etc_t, and I wouldn't have
> to redefine almost the entire selinux context tree just to target a
> few individual files in /etc for my app. 

A notion of type inheritance has been discussed previously on selinux
list (the upstream list for general selinux discussion, as opposed to
this list which is Fedora-specific), and has come up again recently.
The devil of course is in the details...

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list