Fedora Core 7 has frozen and Fedora 8 Development has started

Fedora Core 7 has frozen and Fedora 8 Development has started

[Daniel J Walsh]

This is a good time to get experimental code/updates into the rawhide 
stream. 

My goals for Fedora 8:

* Continued consolidation of targeted and strict policy.
          - Remove selinux-policy-strict package
          - Add all user roles from strict policy to targeted
          - Remove unconfined.pp and you have ~= Strict
          - Add new roles
                    - guest_r - terminal sessions only, no network, no 
setuid apps
                    - xguest_r - X-Windows version of guest_t
                    - webadm_r - UID 0 role that can administer http
                    - logadm_r  - UID 0 role that can administer 
syslog/audit


* Begin using Trusted X Extensions
          - Limited control on Screen Capture
          - Control access to keyboard input

* Continue confining all System Domains in Fedora.  (What used to be in 
Extras)

Others???



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Klaus Weidner]

On Fri, May 18, 2007 at 04:59:55PM -0400, Daniel J Walsh wrote:
> This is a good time to get experimental code/updates into the rawhide 
> stream. 
[...]
> Others???

I haven't seen MCS mentioned much recently, is anyone working on that at
this time? Back at the 2006 SELinux symposium there were plans to
integrate category support in file managers and maybe other user tools,
to make it more suitable for everyday use by non-experts.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Daniel J Walsh]

Klaus Weidner wrote:
> On Fri, May 18, 2007 at 04:59:55PM -0400, Daniel J Walsh wrote:
>   
>> This is a good time to get experimental code/updates into the rawhide 
>> stream. 
>>     
> [...]
>   
>> Others???
>>     
>
> I haven't seen MCS mentioned much recently, is anyone working on that at
> this time? Back at the 2006 SELinux symposium there were plans to
> integrate category support in file managers and maybe other user tools,
> to make it more suitable for everyday use by non-experts.
>
> -Klaus
>   
We switched to using the entire context.  There has been some arguments 
over the value of
MCS versus better support for Type Enforcement in general.  Nautilus for 
example, now can display the security context of files and allows you to 
modify it.

We would like to be able to add support for "types" in mailers, 
editors(ooffice), and other tools.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Paul Moore]

On Monday, May 21 2007 3:15:24 pm Daniel J Walsh wrote:
> Klaus Weidner wrote:
> > On Fri, May 18, 2007 at 04:59:55PM -0400, Daniel J Walsh wrote:
> >> This is a good time to get experimental code/updates into the rawhide
> >> stream.
> >
> > [...]
> >
> >> Others???
> >
> > I haven't seen MCS mentioned much recently, is anyone working on that at
> > this time? Back at the 2006 SELinux symposium there were plans to
> > integrate category support in file managers and maybe other user tools,
> > to make it more suitable for everyday use by non-experts.
> >
> > -Klaus
>
> We switched to using the entire context.  There has been some arguments
> over the value of
> MCS versus better support for Type Enforcement in general.

If I recall correctly, there was some chatter about creating a more generic 
translation facility so that we could translate the entire SELinux context, 
versus the MLS range which we do now, into a more human readable label.  I 
believe doing something like this would help achieve some of the goals that 
Klaus hinted at with the "make it more suitable for everyday use by 
non-experts".  It would also help to reinforce the notion that the context is 
a blob and in general shouldn't be parsed by applications that don't know 
what they are doing.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 4604 bytes --]

On Mon, 2007-05-21 at 15:43 -0400, Paul Moore wrote:
> If I recall correctly, there was some chatter about creating a more generic 
> translation facility so that we could translate the entire SELinux context, 
> versus the MLS range which we do now, into a more human readable label.  I 
> believe doing something like this would help achieve some of the goals that 
> Klaus hinted at with the "make it more suitable for everyday use by 
> non-experts".  It would also help to reinforce the notion that the context is 
> a blob and in general shouldn't be parsed by applications that don't know 
> what they are doing.

 Right, this is one of the really horrible things in the nautilus code
to change the context. I've included the full function at the end of
this email, so you can all bask in it's unworthyness (and it's probably
already out of date).
 If we can fix this in a good way just for targeted/nautilus, that would
be a significant win ... the other obvious use would be integration into
sealert messages.

# define HACK_TYPE(x, y)                               \
       else if (!strcmp (nice_type, x)) nice_type = y

/* hack to convert a selinux_context type into a readable string for the
   user */
static const char *
selinux__hack_conv_type (const char *type)
{ /* FIXME: hack attack, but nowhere else to put it. Because mathpathcon
   * here now probably want a bunch of other types? */
        const char *nice_type;

       nice_type = type;
       
       if (0) { }
       
       HACK_TYPE("cupsd_etc_t", _("CUPS printer configuration"));
       HACK_TYPE("cupsd_rw_etc_t", _("CUPS printer configuration (rw)"));
       HACK_TYPE("cupsd_tmp_t", _("CUPS temporary data"));
       HACK_TYPE("dhcp_etc_t", _("DHCP configuration"));
       HACK_TYPE("dictd_etc_t", _("Dictd configuration"));
       HACK_TYPE("dnssec_t", _("DNS secret"));
       HACK_TYPE("etc_t", _("System configuration"));
       HACK_TYPE("etc_aliases_t", _("Email aliases configuration"));
       HACK_TYPE("etc_runtime_t", _("System configuration (rw)"));
       HACK_TYPE("cvs_data_t", _("Read and write from CVS daemon"));
       HACK_TYPE("httpd_config_t", _("Apache-httpd configuration"));
       HACK_TYPE("httpd_php_tmp_t",
                 _("Apache-httpd PHP module temporary data"));
       HACK_TYPE("httpd_sys_content_t",
                 _("Read from all httpd scripts and the daemon"));
       HACK_TYPE("httpd_sys_htaccess_t",
                 _("Apache-httpd .htaccess configuration"));
       HACK_TYPE("httpd_sys_script_exec_t",
                 _("CGI programs with default access"));
       HACK_TYPE("httpd_sys_script_ra_t",
                 _("CGI programs can read and append"));
       HACK_TYPE("httpd_sys_script_ro_t",
                 _("CGI programs can read"));
       HACK_TYPE("httpd_sys_script_rw_t",
                 _("CGI programs can read and write"));
       HACK_TYPE("httpd_unconfined_script_exec_t",
                 _("CGI programs without any SELinux protection"));
       HACK_TYPE("httpd_tmp_t", _("Apache-httpd temporary data"));
       HACK_TYPE("ice_tmp_t", _("ICE temporary data"));
       HACK_TYPE("locale_t", _("Locale data"));
       HACK_TYPE("mysql_tmp_t", _("MySQL temporary data"));
       HACK_TYPE("named_conf_t", _("Nameserver configuration"));
       HACK_TYPE("net_conf_t", _("Network configuration"));
       HACK_TYPE("postgresql_tmp_t", _("Postgresql temporary data"));
       HACK_TYPE("public_content_rw_t",
                 _("Read and write from CIFS/ftp/http/nfs/rsync"));
       HACK_TYPE("public_content_t", _("Read from CIFS/ftp/http/nfs/rsync"));
       HACK_TYPE("samba_etc_t", _("Samba configuration"));
       HACK_TYPE("samba_share_t", _("Shared via CIFS (samba)"));
       HACK_TYPE("staff_home_t", _("Staff user data"));
       HACK_TYPE("staff_home_dir_t", _("Staff user home directory"));
       HACK_TYPE("swapfile_t", _("System swapfile"));
       HACK_TYPE("sysadm_home_t", _("Sysadmin user data"));
       HACK_TYPE("sysadm_home_dir_t", _("Sysadmin user home directory"));
       HACK_TYPE("system_cron_spool_t", _("Cron data"));
       HACK_TYPE("tmp_t", _("Temporary data"));
       HACK_TYPE("user_tmp_t", _("User temporary data"));
       HACK_TYPE("user_home_t", _("User data"));
       HACK_TYPE("user_home_dir_t", _("User home directory"));
       HACK_TYPE("var_log_t", _("Logfile"));
       HACK_TYPE("xen_image_t", _("Xen image"));
       
       return nice_type;
}
#undef HACK_TYPE


-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Klaus Weidner]

On Mon, May 21, 2007 at 04:27:02PM -0400, James Antill wrote:
> On Mon, 2007-05-21 at 15:43 -0400, Paul Moore wrote:
> > If I recall correctly, there was some chatter about creating a more generic 
> > translation facility so that we could translate the entire SELinux context, 
> > versus the MLS range which we do now, into a more human readable label.  I 
> > believe doing something like this would help achieve some of the goals that 
> > Klaus hinted at with the "make it more suitable for everyday use by 
> > non-experts".  It would also help to reinforce the notion that the context is 
> > a blob and in general shouldn't be parsed by applications that don't know 
> > what they are doing.
> 
>  Right, this is one of the really horrible things in the nautilus code
> to change the context. I've included the full function at the end of
> this email, so you can all bask in it's unworthyness (and it's probably
> already out of date).
>  If we can fix this in a good way just for targeted/nautilus, that would
> be a significant win ... the other obvious use would be integration into
> sealert messages.

(Disclaimer: I haven't tried the current Nautilus, so apologies if this
is already implemented or if I've misunderstood things.)

The refpolicy already has nice self-documenting features, I think it
would be nice to use the same XML system for describing types and
attributes in a machine-readable way. Maybe also with both the
human-readable name and a longer descriptive text? Then the Nautilus
build could pick up the information automatically.

Would it make sense to make a distinction between end user modifiable
types and admin types? For example, at first glance the following look as
if they'd be most relevant for non-admin users:

>        HACK_TYPE("cvs_data_t", _("Read and write from CVS daemon"));
>        HACK_TYPE("public_content_rw_t",
>                  _("Read and write from CIFS/ftp/http/nfs/rsync"));
>        HACK_TYPE("public_content_t", _("Read from CIFS/ftp/http/nfs/rsync"));
>        HACK_TYPE("samba_share_t", _("Shared via CIFS (samba)"));
>        HACK_TYPE("staff_home_t", _("Staff user data"));
>        HACK_TYPE("staff_home_dir_t", _("Staff user home directory"));
>        HACK_TYPE("sysadm_home_t", _("Sysadmin user data"));
>        HACK_TYPE("sysadm_home_dir_t", _("Sysadmin user home directory"));
>        HACK_TYPE("tmp_t", _("Temporary data"));
>        HACK_TYPE("user_tmp_t", _("User temporary data"));
>        HACK_TYPE("user_home_t", _("User data"));
>        HACK_TYPE("user_home_dir_t", _("User home directory"));
>        HACK_TYPE("xen_image_t", _("Xen image"));

Maybe one way to do that would be to use a drop-down for the type that
only contains the types that the user is actually permitted to change
this object to?

I think a good use case for either MCS or TE for normal users would be to
mark untrusted Internet data (for example along with confining the web
browser), and maybe separately mark sensitive data that should be
inaccessible for most programs (financial records)?

Hmmm, how about integrating MCS categories with the virtual desktop
workspaces? For example, virtual desktop 2 is for the web browser, and
virtual desktop 3 for GnuCash and related programs? The user (optionally)
configures the category as part of the workspace properties, and apps
launched on that workspace automatically use that category.

I think the advantage of MCS would be that it's largely orthogonal to TE
and could be customized according to local requirements without having
the developers need to predict all the potential use cases.

-Klaus

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Paul Moore]

On Monday 21 May 2007 6:13:04 pm Klaus Weidner wrote:
> I think the advantage of MCS would be that it's largely orthogonal to TE
> and could be customized according to local requirements without having
> the developers need to predict all the potential use cases.

I believe the argument here was that the "better" approach is to properly 
support user generated/managed types to achieve local customization 
requirements.  There was even talk of using (I'm going to get the terminology 
all wrong, forgive me) base/parent types to bound the access permissions of 
these user/child types which isn't something that is easily expressed through 
MCS.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Joshua Brindle]

Klaus Weidner wrote:
> On Mon, May 21, 2007 at 04:27:02PM -0400, James Antill wrote
>   

> Would it make sense to make a distinction between end user modifiable
> types and admin types? For example, at first glance the following look as
> if they'd be most relevant for non-admin users:
>
>   
>>        HACK_TYPE("cvs_data_t", _("Read and write from CVS daemon"));
>>        HACK_TYPE("public_content_rw_t",
>>                  _("Read and write from CIFS/ftp/http/nfs/rsync"));
>>        HACK_TYPE("public_content_t", _("Read from CIFS/ftp/http/nfs/rsync"));
>>        HACK_TYPE("samba_share_t", _("Shared via CIFS (samba)"));
>>        HACK_TYPE("staff_home_t", _("Staff user data"));
>>        HACK_TYPE("staff_home_dir_t", _("Staff user home directory"));
>>        HACK_TYPE("sysadm_home_t", _("Sysadmin user data"));
>>        HACK_TYPE("sysadm_home_dir_t", _("Sysadmin user home directory"));
>>        HACK_TYPE("tmp_t", _("Temporary data"));
>>        HACK_TYPE("user_tmp_t", _("User temporary data"));
>>        HACK_TYPE("user_home_t", _("User data"));
>>        HACK_TYPE("user_home_dir_t", _("User home directory"));
>>        HACK_TYPE("xen_image_t", _("Xen image"));
>>     
>
> Maybe one way to do that would be to use a drop-down for the type that
> only contains the types that the user is actually permitted to change
> this object to?
>
>   

How would the client get that kind of information? apol is the only app 
I know if that does any kind of relabel analysis to see what who can 
relabel what-to-what and that would be a pretty high level dependency 
for nautilus (and it also uses the policy on disk instead of the one 
loaded into the kernel). Also the list would be completely unusable when 
run from unconfined_t, which is the normal use case.

> I think a good use case for either MCS or TE for normal users would be to
> mark untrusted Internet data (for example along with confining the web
> browser), and maybe separately mark sensitive data that should be
> inaccessible for most programs (financial records)?
>
> Hmmm, how about integrating MCS categories with the virtual desktop
> workspaces? For example, virtual desktop 2 is for the web browser, and
> virtual desktop 3 for GnuCash and related programs? The user (optionally)
> configures the category as part of the workspace properties, and apps
> launched on that workspace automatically use that category.
>
>   

sounds like you want CMW's for mcs and I doubt thats how people will 
want to use MCS (assuming they ever want to use it at all)

> I think the advantage of MCS would be that it's largely orthogonal to TE
> and could be customized according to local requirements without having
> the developers need to predict all the potential use cases.
>
>   

We have yet to determine if MCS is useful at all but I don't think that 
there are any doubts that TE is better for a huge number of security 
objectives, particularly things like allowing apache to read files in 
your home directory and things of that nature.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Fedora Core 7 has frozen and Fedora 8 Development has started

[Todd Miller]

Joshua Brindle wrote:
> How would the client get that kind of information? apol is the only
> app I know if that does any kind of relabel analysis to see what who
> can relabel what-to-what and that would be a pretty high level
> dependency for nautilus (and it also uses the policy on disk instead
> of the one loaded into the kernel). Also the list would be completely
> unusable when run from unconfined_t, which is the normal use case.   

There was a proof of concept file label utility in SEDarwin that used a
sysctl to get the list of allowable file contexts for a user.  Like you
say, it was basically useless from unconfined_t (it was initially
written for the old example policy).

 - todd


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Joshua Brindle]

Todd Miller wrote:
> Joshua Brindle wrote:
>   
>> How would the client get that kind of information? apol is the only
>> app I know if that does any kind of relabel analysis to see what who
>> can relabel what-to-what and that would be a pretty high level
>> dependency for nautilus (and it also uses the policy on disk instead
>> of the one loaded into the kernel). Also the list would be completely
>> unusable when run from unconfined_t, which is the normal use case.   
>>     
>
> There was a proof of concept file label utility in SEDarwin that used a
> sysctl to get the list of allowable file contexts for a user.  Like you
> say, it was basically useless from unconfined_t (it was initially
> written for the old example policy).
>   

What does allowable file context mean?

You need to be able to do an analysis on the policy to see what user can 
relabelfrom and what they can relabelto. If they can't relabelfrom the 
file being modified in nautilus then nothing should appear, otherwise 
the types they can relabelto would appear.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Fedora Core 7 has frozen and Fedora 8 Development has started

[Todd Miller]

Joshua Brindle wrote:
> 
> What does allowable file context mean?
> 
> You need to be able to do an analysis on the policy to see what user
> can relabelfrom and what they can relabelto. If they can't
> relabelfrom the file being modified in nautilus then nothing should
> appear, otherwise the types they can relabelto would appear.   

A security_get_file_sids() function was added to the security server
that takes a usersid and a class (was always SECLASS_FILE) and returns a
list of sids that the user has relabelto permissions.  It was probably
not really sufficient for the task as it doesn't take relabelfrom into
account (it predates any hacking I did on SEDarwin, though I did stop it
from panicing).

The kernel code in question is still online at:
http://sedarwin.org/cgi-bin/cvsweb/sedarwin8/policies/sedarwin/sedarwin/
ss/services.c

 - todd


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Joshua Brindle]

Todd Miller wrote:
> Joshua Brindle wrote:
>   
>> What does allowable file context mean?
>>
>> You need to be able to do an analysis on the policy to see what user
>> can relabelfrom and what they can relabelto. If they can't
>> relabelfrom the file being modified in nautilus then nothing should
>> appear, otherwise the types they can relabelto would appear.   
>>     
>
> A security_get_file_sids() function was added to the security server
> that takes a usersid and a class (was always SECLASS_FILE) and returns a
> list of sids that the user has relabelto permissions.  It was probably
> not really sufficient for the task as it doesn't take relabelfrom into
> account (it predates any hacking I did on SEDarwin, though I did stop it
> from panicing).
>
> The kernel code in question is still online at:
> http://sedarwin.org/cgi-bin/cvsweb/sedarwin8/policies/sedarwin/sedarwin/
> ss/services.c
>   
it also ignores other parts of a context so it isn't really sufficient, 
if the type can be relabeledfrom and to but the user is different a 
contraint will prevent the relabel, for example. It also doesn't take 
any mls/mcs into account.

I also think it isn't appropriate to do analysis of the policy in the 
kernel, a better alternative might be to make a kernel interface to 
output the policydb that an apol-like daemon could read and perform 
queries on when requested.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[Karl MacMillan]

On Tue, 2007-05-22 at 11:14 -0400, Joshua Brindle wrote:
> Todd Miller wrote:
> > Joshua Brindle wrote:
> >   
> >> How would the client get that kind of information? apol is the only
> >> app I know if that does any kind of relabel analysis to see what who
> >> can relabel what-to-what and that would be a pretty high level
> >> dependency for nautilus (and it also uses the policy on disk instead
> >> of the one loaded into the kernel). Also the list would be completely
> >> unusable when run from unconfined_t, which is the normal use case.   
> >>     
> >
> > There was a proof of concept file label utility in SEDarwin that used a
> > sysctl to get the list of allowable file contexts for a user.  Like you
> > say, it was basically useless from unconfined_t (it was initially
> > written for the old example policy).
> >   
> 
> What does allowable file context mean?
> 

This doesn't have to be an exhaustive list of contexts - but a list of
the most likely contexts that the user might want would be helpful.

> You need to be able to do an analysis on the policy to see what user can 
> relabelfrom and what they can relabelto. If they can't relabelfrom the 
> file being modified in nautilus then nothing should appear, otherwise 
> the types they can relabelto would appear.
> 

1) The analysis isn't that complicated - no reason it can't be done in
libsepol if it is useful.

2) It could be data driven from the policy - types could be marked in
refpolicy as likely candidates for relabeling by different domains.

The larger point, I think, is that users often directly interact with
types / contexts, particularly when dealing with the filesystem. These
types should be documented (just like interfaces) and users should be
given help determining appropriate types / contexts when labeling is
needed (and users can mean unprivileged users or admins).

Basically - the refpolicy notion that types are private resources of
modules is broken. There is no encapsulation - so we need docs, etc.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fedora Core 7 has frozen and Fedora 8 Development has started

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 2227 bytes --]

On Mon, 2007-05-21 at 17:13 -0500, Klaus Weidner wrote:

> Would it make sense to make a distinction between end user modifiable
> types and admin types? For example, at first glance the following look as
> if they'd be most relevant for non-admin users:

 Right, the admin can use nautilus too :). Note that if a context is
viewed that doesn't match any of those translations the failure mode is
to just display the full context to the user, so I wanted to add all of
the types that any user would hit in at least ~/ and /etc.

> >        HACK_TYPE("cvs_data_t", _("Read and write from CVS daemon"));
> >        HACK_TYPE("public_content_rw_t",
> >                  _("Read and write from CIFS/ftp/http/nfs/rsync"));
> >        HACK_TYPE("public_content_t", _("Read from CIFS/ftp/http/nfs/rsync"));
> >        HACK_TYPE("samba_share_t", _("Shared via CIFS (samba)"));
> >        HACK_TYPE("staff_home_t", _("Staff user data"));
> >        HACK_TYPE("staff_home_dir_t", _("Staff user home directory"));
> >        HACK_TYPE("sysadm_home_t", _("Sysadmin user data"));
> >        HACK_TYPE("sysadm_home_dir_t", _("Sysadmin user home directory"));
> >        HACK_TYPE("tmp_t", _("Temporary data"));
> >        HACK_TYPE("user_tmp_t", _("User temporary data"));
> >        HACK_TYPE("user_home_t", _("User data"));
> >        HACK_TYPE("user_home_dir_t", _("User home directory"));
> >        HACK_TYPE("xen_image_t", _("Xen image"));
> 
> Maybe one way to do that would be to use a drop-down for the type that
> only contains the types that the user is actually permitted to change
> this object to?

 The above function _just_ does the translation from a type to "readable
message saying what the type is". This is not the list of entries that
is displayed to the user.
 The list is generated by always adding tmp_t, user_home_t, user_tmp_t
and then whatever is contained in selinux_customizable_types_path().
Then the current type for the file, and the matchpathcon type for the
file (with all the other values for the context taken from the current
context). That's not very pretty either, but it doesn't make me cringe
as much as the above :).

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]