I think it is time for us to put the attributes back into policy file.

I think it is time for us to put the attributes back into policy file.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am getting several complaints from people wanting to see these
attributes.  I would like to be able to list all "Domains" so you could
choose which domains you want to put in permissive mode.

I would like to see which attribute is giving a certain permission to a
domain, without having to query the source.

I am sure there are other uses.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk3HNMACgkQrlYvE4MpobPCNgCg5t0UqNvz+GbzVsbLMuCDQrpV
VNkAoIoxKVwCqJ0BHXmRrWDGRTjDixjr
=LU0h
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I think it is time for us to put the attributes back into policy file.

[Joe Nall]

On Dec 3, 2008, at 5:57 PM, Daniel J Walsh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am getting several complaints from people wanting to see these
> attributes.  I would like to be able to list all "Domains" so you  
> could
> choose which domains you want to put in permissive mode.
>
> I would like to see which attribute is giving a certain permission  
> to a
> domain, without having to query the source.
>
> I am sure there are other uses.

+1

joe


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I think it is time for us to put the attributes back into policy file.

[Stephen Smalley]

On Wed, 2008-12-03 at 18:57 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I am getting several complaints from people wanting to see these
> attributes.  I would like to be able to list all "Domains" so you could
> choose which domains you want to put in permissive mode.
> 
> I would like to see which attribute is giving a certain permission to a
> domain, without having to query the source.
> 
> I am sure there are other uses.

KaiGai changed the kernel policy format to retain type attributes in
policy.24 (kernel 2.6.28 and later).  So the information should be
available - it is just a matter of teaching apol and friends to
understand it.  Of course, we still need the module format fixed for
aliases, right?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: I think it is time for us to put the attributes back into policy file.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Smalley wrote:
> On Wed, 2008-12-03 at 18:57 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I am getting several complaints from people wanting to see these
>> attributes.  I would like to be able to list all "Domains" so you could
>> choose which domains you want to put in permissive mode.
>>
>> I would like to see which attribute is giving a certain permission to a
>> domain, without having to query the source.
>>
>> I am sure there are other uses.
> 
> KaiGai changed the kernel policy format to retain type attributes in
> policy.24 (kernel 2.6.28 and later).  So the information should be
> available - it is just a matter of teaching apol and friends to
> understand it.  Of course, we still need the module format fixed for
> aliases, right?
> 
Ok I did not know this, I guess I will start bothering Chris then.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk37BQACgkQrlYvE4MpobPiUACfXHxJGLzqNcFkZs3DjrpcK00S
c/8AoOpiYL8P4hx3qJIT+4QMiegTiFx3
=AV9C
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.