[redhat-lspp] Just noticed a problem with semanage/semodule a nd SELinux policy
Chad Hanson
chanson at TrustedCS.com
Mon Jan 29 14:46:44 UTC 2007
>
> Making all of the files under /etc/selinux/mls SystemHigh would be
> simpler (just run semanage/semodule at SystemHigh too), but will prevent
> any use of those files by any process that either is not SystemHigh or
> lacks MLS overrides. Not sure to what extent that is an issue.
>
> Making all of the files under /etc/selinux/mls SystemLow would also be
> simpler, but might not be acceptable in some cases (as you describe).
> But not clear that it matters from an LSPP point of view per se.
>
I would concur with this idea as well. It is much simpler to use SystemHigh
than trying to figure out what the exact label should be at a given time...
I don't know what view Klaus has on this... The other interesting fact is at
least most of these files show labels in raw form, so the bits are known,
but the names used in translation are not as long as translation system is
protected...
-Chad
More information about the redhat-lspp
mailing list