* I would like to suggest a new file attribute like usersafe.
@ 2004-03-24 21:42 Daniel J Walsh
2004-03-24 21:56 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Daniel J Walsh @ 2004-03-24 21:42 UTC (permalink / raw)
To: SELinux
One of the things I have thinking about at is the ability to globally
say a context can read these files.
For instance allowing the slocate policy to read files. Rather then
trying to figure out all of the file types
that are safe to read and listing them in policy, if we had a attribute,
similar to sysadminfile, that indicated
it was safe for users access we could have a simpler rules.
usersafefile?
So as policy developers decide to add a new context for XYZ app, they
can add attribute that will allow
users access.
r_dir_file($1_locate_s, usersafefile)
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: I would like to suggest a new file attribute like usersafe.
2004-03-24 21:42 I would like to suggest a new file attribute like usersafe Daniel J Walsh
@ 2004-03-24 21:56 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2004-03-24 21:56 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On Wed, 2004-03-24 at 16:42, Daniel J Walsh wrote:
> One of the things I have thinking about at is the ability to globally
> say a context can read these files.
> For instance allowing the slocate policy to read files. Rather then
> trying to figure out all of the file types
> that are safe to read and listing them in policy, if we had a attribute,
> similar to sysadminfile, that indicated
> it was safe for users access we could have a simpler rules.
>
> usersafefile?
>
>
>
> So as policy developers decide to add a new context for XYZ app, they
> can add attribute that will allow
> users access.
>
> r_dir_file($1_locate_s, usersafefile)
How about userreadable? Or something similar to indicate that it is
strictly for allowing read access? This is similar to the existing
readable_t type, but would let you preserve different types (and thus
different write rules).
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-03-24 21:56 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-24 21:42 I would like to suggest a new file attribute like usersafe Daniel J Walsh
2004-03-24 21:56 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.