[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole

[James Antill]

On Tue, 2006-10-31 at 11:21 -0500, Stephen Smalley wrote:

> No.  The ability to make the security call is controlled by the
> compute_av permission on the security class, and isn't based on the
> individual contexts passed as arguments.  That would be:
> 	allow $1 security_t:security compute_av;
> which has an interface:
> 	selinux_compute_access_vector($1)
> which is already in authlogin.if.  No change required for allowing the
> call to happen.
> 
> What you are instead trying to do is to define the _result_ of that
> compute_av call based on its arguments, not whether it can be made by
> login.  So the TE rule would go into userdomain.if and be of the form:
> 	allow $1 self:context <permissionname>;

 Ok, I think I have it now. Both patches are at (with the renamed
permission):

 http://people.redhat.com/jantill/pam-config_role/upstream/


-- 
James Antill - <james.antill at redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET,  SO_ATTACH_FILTER, ...);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy-pam-range-checking.patch
Type: text/x-patch
Size: 1095 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinux-pam-range-checking.patch
Type: text/x-patch
Size: 987 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061031/c57028b5/attachment.sig>