[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Stephen Smalley
sds at tycho.nsa.gov
Tue Oct 31 14:23:30 UTC 2006
On Mon, 2006-10-30 at 15:16 -0500, James Antill wrote:
> On Mon, 2006-10-30 at 15:03 -0500, James Antill wrote:
> > On Fri, 2006-10-27 at 14:38 -0400, Stephen Smalley wrote:
> >
> > > Look at Darrel's patch for mcstransd to apply a permission check between
> > > the level of the caller and the level being translated for context
> > > translations.
> >
> > Thanks to much discussion with Dan and Stephen, I'm pretty sure I have
> > this correct now.
>
>
> Here is the reference policy part of the patches (libselinux came
> previously and PAM is next).
In addition to the permission name, I'd have expected the rule (and the
check in the code) to always use the same type in both contexts, so the
rules could just be:
allow $1 self:context <permissionname>;
Not allow $1 domain:context, which will yield many more rules without
any real justification.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list