From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: cpebenito@tresys.com, ewalsh@tycho.nsa.gov, selinux@tycho.nsa.gov
Subject: Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts
Date: Wed, 28 May 2008 11:49:30 +0900 [thread overview]
Message-ID: <483CC83A.7080103@ak.jp.nec.com> (raw)
In-Reply-To: <1211908477.19360.28.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
>> e.g)
>> selabel_lookup(sehandle, &context, "user_u:user_r:user_t:s0", 0);
>> returns "user_u:object_r:sepgsql_db_t:s0".
>
> Chris is investigating the use of roles on objects in order to provide
> more fully featured RBAC support without requiring use of per-role
> domains. Hardcoding the use of object_r won't be future compatible for
> that situation, and more generally we don't want to hardcode policy
> information in libselinux at all.
>
> I'm also unclear as to why type_transition rules aren't a better way of
> expressing the above, although I know you've been discussing this with
> Chris for some time. Logically I'd expect the client domain to be the
> source type of the transition, and the type for the newly created
> database to be the new/result type of the transition. What to use as
> the target type is less clear; we'd have a similar issue if we were to
> use type_transitions for e.g. sockets. It could either be the client
> domain both as source and target (self relationship, no related object)
> or the client domain as source and the object manager domain as target.
I think it can be a good candidate to describe type_transition for
db_database class, because another subsystem (socket) adopts self
relationship approach and we can avoid unnecessary confusion.
Chris, can you change type_transition rules for db_database, as follows?
type_transition postgresql_t self:db_database sepgsql_db_t;
type_transition sepgsql_client_type self_t:db_database sepgsql_db_t;
In this approach, I think configuration files are not necessary basically.
However, I'm attracted to Eamon's idea.
If there is a configuration file to describe what database object should
have what context, we can also provide a restorecon for database objects.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2008-05-28 2:49 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-26 10:30 [PATCH] libselinux: add support for /contexts/postgresql_contexts KaiGai Kohei
2008-05-27 17:14 ` Stephen Smalley
2008-05-27 17:55 ` Christopher J. PeBenito
2008-05-27 18:34 ` Stephen Smalley
2008-05-27 18:55 ` Christopher J. PeBenito
2008-05-27 19:59 ` Stephen Smalley
2008-05-27 20:15 ` Eamon Walsh
2008-05-28 13:24 ` Christopher J. PeBenito
2008-05-29 18:05 ` Eamon Walsh
2008-05-29 18:20 ` Christopher J. PeBenito
2008-05-30 0:22 ` Eamon Walsh
2008-05-30 12:27 ` Christopher J. PeBenito
2008-06-02 10:27 ` KaiGai Kohei
2008-06-02 17:31 ` Eamon Walsh
2008-06-02 18:39 ` Christopher J. PeBenito
2008-06-03 10:25 ` KaiGai Kohei
2008-06-03 12:37 ` Christopher J. PeBenito
2008-06-04 4:03 ` KaiGai Kohei
2008-06-04 14:19 ` Joshua Brindle
2008-06-05 1:07 ` KaiGai Kohei
2008-06-05 18:09 ` Eamon Walsh
2008-06-06 5:32 ` KaiGai Kohei
2008-06-04 14:32 ` Christopher J. PeBenito
2008-06-05 1:18 ` KaiGai Kohei
2008-06-05 13:35 ` Chris PeBenito
2008-06-06 5:21 ` KaiGai Kohei
2008-06-09 3:07 ` KaiGai Kohei
2008-06-10 18:09 ` Christopher J. PeBenito
2008-06-13 10:39 ` KaiGai Kohei
2008-06-13 13:37 ` Christopher J. PeBenito
2008-06-18 6:53 ` KaiGai Kohei
2008-06-18 13:41 ` Christopher J. PeBenito
2008-06-20 6:48 ` KaiGai Kohei
2008-06-23 12:35 ` Christopher J. PeBenito
2008-06-23 12:48 ` KaiGai Kohei
2008-06-23 12:56 ` Christopher J. PeBenito
2008-06-24 2:35 ` KaiGai Kohei
2008-06-24 12:56 ` Christopher J. PeBenito
2008-05-28 1:49 ` KaiGai Kohei
2008-05-28 12:56 ` Christopher J. PeBenito
2008-05-28 16:12 ` KaiGai Kohei
2008-05-28 1:13 ` KaiGai Kohei
2008-05-28 15:12 ` Stephen Smalley
2008-05-28 16:18 ` KaiGai Kohei
2008-05-28 2:49 ` KaiGai Kohei [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=483CC83A.7080103@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.