Re: Added is_context_configurable function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SELinux <SELinux@tycho.nsa.gov>, Colin Walters <walters@redhat.com>
Subject: Re: Added is_context_configurable function
Date: Tue, 11 Jan 2005 11:12:36 -0500	[thread overview]
Message-ID: <41E3FAF4.2060109@redhat.com> (raw)
In-Reply-To: <1105456934.20566.52.camel@moss-spartans.epoch.ncsc.mil>

Stephen Smalley wrote:

>On Mon, 2005-01-10 at 17:17, Daniel J Walsh wrote:
>  
>
>>This patch defines two functions.
>>
>>is_context_configurable(scontext) 
>>This returns if if the context is in the 
>>/etc/selinux/*/contexts/configurable_contexts file.
>>0 If not and -1 on error.
>>
>>Internally this calls get_configurable_context_list which returns a 
>>contextarray of the contexts of that file.
>>
>>I have also patched the policy makefile to populate that file, but 
>>looking for all contexts marked as configurable.
>>
>>Now I would like to use this function in restorecon/setfiles, so that by 
>>default they will leave configurable contexts alone.
>>    
>>
>
>I think that in prior discussions of this functionality, we had
>discussed allowing an optional list of alternative contexts at the end
>of each entry in the file_contexts configuration, and having
>setfiles/restorecon not change the context if the file already had any
>context in that list, but still set the context to the first context
>listed if the file lacked any context at all (e.g. initial labeling). 
>I'm not sure I see the benefit of marking the types with an attribute in
>the policy since you aren't defining any rules based on that attribute
>or providing a separate configuration file from file_contexts.
>
>  
>
I think this is more flexible, in that it allows users to specify the 
location of these files versus policy.
IE I create a new top level directory /rsync which I want to label 
ftp_anon_t, I don't want to have to specify
ftp_anon_t is an alternative to default_t.  Specifying it as an 
attribute just gives a way of creating the file on the
fly from policy rather than just having a flat file in contexts called 
configurable_contexts, also depending on the
policy the file may differ.  I could see someone writing policy say 
allowing ftp r_dir_file(ftp_t, configurable).

I think we should rename the concept from configurable_contexts to 
configurable_types, and change all the functions
to match, also.  Since this is really just the type we are concerned with.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2005-01-11 16:12 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-10 22:17 Added is_context_configurable function Daniel J Walsh
2005-01-11 15:22 ` Stephen Smalley
2005-01-11 16:12   ` Daniel J Walsh [this message]
2005-01-11 20:00     ` Stephen Smalley
2005-01-11 20:31       ` Daniel J Walsh
2005-01-11 20:35         ` Stephen Smalley
2005-01-11 20:58           ` Daniel J Walsh
2005-01-11 22:25             ` Colin Walters
2005-01-11 22:10       ` Colin Walters
2005-01-12  0:19         ` Casey Schaufler
2005-01-12 14:19         ` Stephen Smalley
2005-01-12 14:44           ` Daniel J Walsh
2005-01-12 15:37           ` Daniel J Walsh
2005-01-20 15:29             ` Stephen Smalley
2005-01-12 15:39           ` Daniel J Walsh
2005-01-20 15:32             ` Stephen Smalley
2005-01-12 15:48           ` Colin Walters
2005-01-12 22:09             ` Stephen Smalley
2005-01-13  3:52               ` Colin Walters
2005-01-13 14:55                 ` Daniel J Walsh
2005-01-13 15:53                   ` Colin Walters
2005-01-13 16:01                     ` Daniel J Walsh
2005-01-13 14:57               ` Daniel J Walsh
2005-01-12 18:19           ` Luke Kenneth Casson Leighton
2005-01-12 18:15             ` Colin Walters

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41E3FAF4.2060109@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=SELinux@tycho.nsa.gov \
    --cc=sds@epoch.ncsc.mil \
    --cc=walters@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.