From: Joshua Brindle <method@manicmethod.com>
To: Todd Miller <Tmiller@tresys.com>
Cc: Klaus Weidner <klaus@atsec.com>,
James Antill <jantill@redhat.com>, Paul Moore <paul.moore@hp.com>,
SE Linux <selinux@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: Fedora Core 7 has frozen and Fedora 8 Development has started
Date: Tue, 22 May 2007 11:14:37 -0400 [thread overview]
Message-ID: <465308DD.2090600@manicmethod.com> (raw)
In-Reply-To: <6FE441CD9F0C0C479F2D88F959B01588BEFCC2@exchange.columbia.tresys.com>
Todd Miller wrote:
> Joshua Brindle wrote:
>
>> How would the client get that kind of information? apol is the only
>> app I know if that does any kind of relabel analysis to see what who
>> can relabel what-to-what and that would be a pretty high level
>> dependency for nautilus (and it also uses the policy on disk instead
>> of the one loaded into the kernel). Also the list would be completely
>> unusable when run from unconfined_t, which is the normal use case.
>>
>
> There was a proof of concept file label utility in SEDarwin that used a
> sysctl to get the list of allowable file contexts for a user. Like you
> say, it was basically useless from unconfined_t (it was initially
> written for the old example policy).
>
What does allowable file context mean?
You need to be able to do an analysis on the policy to see what user can
relabelfrom and what they can relabelto. If they can't relabelfrom the
file being modified in nautilus then nothing should appear, otherwise
the types they can relabelto would appear.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-05-22 15:17 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-18 20:59 Fedora Core 7 has frozen and Fedora 8 Development has started Daniel J Walsh
2007-05-21 19:08 ` Klaus Weidner
2007-05-21 19:15 ` Daniel J Walsh
2007-05-21 19:43 ` Paul Moore
2007-05-21 20:27 ` James Antill
2007-05-21 22:13 ` Klaus Weidner
2007-05-22 1:34 ` Paul Moore
2007-05-22 13:31 ` Joshua Brindle
2007-05-22 14:54 ` Todd Miller
2007-05-22 15:14 ` Joshua Brindle [this message]
2007-05-22 15:36 ` Todd Miller
2007-05-22 16:00 ` Joshua Brindle
2007-05-23 14:01 ` Karl MacMillan
2007-05-22 14:51 ` James Antill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=465308DD.2090600@manicmethod.com \
--to=method@manicmethod.com \
--cc=Tmiller@tresys.com \
--cc=dwalsh@redhat.com \
--cc=jantill@redhat.com \
--cc=klaus@atsec.com \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.