more fine grained access in /etc
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 19 12:59:26 UTC 2007
On Wed, 2007-09-19 at 11:09 +0200, Torbjørn Lindahl wrote:
> I see. In that case I am not going to push this topic much further.
> Thanks for your assistance!
>
> But wouldn't it be nice to have an allow mechanism in SELinux in which
> I could grant access based on it's existing access. What I want to
> achieve is to be able to add a rule like "If process can read etc_t,
> then it can also read etc_foo_t"
>
> That would allow me to change context of individual files, and grant
> access to them by process who already have etc_t, and I wouldn't have
> to redefine almost the entire selinux context tree just to target a
> few individual files in /etc for my app.
A notion of type inheritance has been discussed previously on selinux
list (the upstream list for general selinux discussion, as opposed to
this list which is Fedora-specific), and has come up again recently.
The devil of course is in the details...
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list