From: Ted X Toth <txtoth@gmail.com>
To: russell@coker.com.au
Cc: Michael C Thompson <thompsmc@us.ibm.com>, selinux@tycho.nsa.gov
Subject: Re: directory polyinstantiation failure
Date: Tue, 24 Apr 2007 15:19:57 -0500 [thread overview]
Message-ID: <462E666D.30303@gmail.com> (raw)
In-Reply-To: <200704241906.55645.russell@coker.com.au>
Russell Coker wrote:
> On Thursday 19 April 2007 02:59, "Xavier Toth" <txtoth@gmail.com> wrote:
>
>> Why if getexeccon fails doesn't it make sense to polyinstantiate based
>> on context/level? Why not call getcon lf getexeccon fails and use that
>> context instead of switching the method?
>>
>
> That depends on the aim of the PI.
>
> If the aim is merely to isolate the session from other sessions then it's
> probably OK to skip the things that don't change (although this optimisation
> doesn't seem to give any benefit).
>
> If the aim is to give each session a PI directory that matches it's context
> such that any other session which is established with the same context will
> have the same directory then all items have to be used.
>
> Also while on the topic, we need an option to do PI based on the GID as well
> (this was requested on a few occasions when I gave talks about it). So we
> could have configuration options to specify a list of items to use, the full
> SE Linux context, the MLS/MCS level, the role, the Linux UID, and the Linux
> GID.
>
>
One of the enhancements I've thinking about would be to allow for a user
defined method for naming instead of the fixed naming of the current
implementation. There could be expandable terms like USER, CONTEXT,
LEVEL, UID, GID, HASH, ROLE which could be used to format the name to be
generated. For example :
/tmp/foo /tmp/foo.inst $LEVEL_$USER root
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-04-24 20:20 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-04-17 18:07 directory polyinstantiation failure Xavier Toth
2007-04-17 18:47 ` Michael C Thompson
2007-04-17 19:23 ` Xavier Toth
2007-04-17 20:19 ` Michael C Thompson
2007-04-18 16:59 ` Xavier Toth
2007-04-18 20:04 ` Linda Knippers
2007-04-19 14:04 ` Ted X Toth
2007-04-24 9:06 ` Russell Coker
2007-04-24 20:19 ` Ted X Toth [this message]
-- strict thread matches above, loose matches on Subject: below --
2007-04-24 15:06 Chad Hanson
2007-04-24 17:49 ` Ted X Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=462E666D.30303@gmail.com \
--to=txtoth@gmail.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
--cc=thompsmc@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.