From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
SE Linux <selinux@tycho.nsa.gov>,
Joshua Brindle <jbrindle@tresys.com>
Subject: Re: Policycoreutils latest diffs.
Date: Wed, 04 Jan 2006 12:31:45 -0500 [thread overview]
Message-ID: <43BC0681.2090403@cornell.edu> (raw)
In-Reply-To: <43BC1ECA.1070806@redhat.com>
> delete
> if does not exist local; error since you can not delete an object from
> the server?
> Prevent the user from deleting SELinux User "root"
Right.. I would two tests, and then if exists fails say: object does not
exist
if exists_local fails say: object is built into policy and can't be deleted.
There's still the issue of how the user would know that at all, since
list does not indicate
what's local and what isn't, but it's a good point to start at.
>
> Add
> if does exist: error
yes, that should be sufficient.
>
> Modify:
> If does not exist local; you are not allowed to modify, see above.
That's tricky. That depends on what you want modify to do.
The libsemanage modify_local function is with respect to the local
store, but
anything you write in the store at all will modify policy, so you can go
either way
with your higher level modify. The question is what you're modifying,
and does
the user understand that.
I think to be consistent with add(), you should modify with respect to
policy, and not do any checks here.
====
Btw, if there's interest in writing an API that works on policy alone,
minus local modifications, that can be done - it just requires writing
down another policy after expand, and before any local things are
written down.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-01-04 17:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-03 18:39 Policycoreutils latest diffs Daniel J Walsh
2006-01-03 17:22 ` Ivan Gyurdiev
2006-01-04 16:33 ` Ivan Gyurdiev
2006-01-04 16:40 ` Ivan Gyurdiev
2006-01-04 19:15 ` Daniel J Walsh
2006-01-04 17:31 ` Ivan Gyurdiev [this message]
2006-01-04 17:37 ` Ivan Gyurdiev
2006-01-04 19:35 ` Joshua Brindle
2006-01-04 17:38 ` Ivan Gyurdiev
2006-01-04 19:39 ` Daniel J Walsh
2006-01-04 19:41 ` Joshua Brindle
2006-01-04 18:02 ` Ivan Gyurdiev
2006-01-04 20:11 ` Joshua Brindle
2006-01-04 19:03 ` Ivan Gyurdiev
2006-01-03 18:04 ` Ivan Gyurdiev
2006-01-04 17:36 ` Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2006-02-22 18:23 policycoreutils " Daniel J Walsh
2006-02-23 14:02 ` Stephen Smalley
2006-03-08 17:29 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43BC0681.2090403@cornell.edu \
--to=ivg2@cornell.edu \
--cc=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.