From: Eamon Walsh <ewalsh@tycho.nsa.gov>
To: Xavier Toth <txtoth@gmail.com>
Cc: SELinux List <selinux@tycho.nsa.gov>,
James Carter <jwcart2@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>, Joe Nall <joe@nall.com>
Subject: Re: [RFC] Add color translation support to mcstransd
Date: Thu, 18 Dec 2008 15:14:02 -0500 [thread overview]
Message-ID: <494AAF0A.4040109@tycho.nsa.gov> (raw)
In-Reply-To: <cadfc0e40812170850r547f7104p5fa8197ca9f4f84e@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 865 bytes --]
Xavier Toth wrote:
> Where does mcstrans look for secolor.conf? I can use names (red,
> yellow, etc..) for colors instead of hex values, right?
>
> Ted
>
>
I pushed two changes to the color-ewalsh branch addressing these issues,
please pull.
/etc/selinux/$POLICYTYPE/secolor.conf is the location.
You can define names for colors using a new "color" rule in the conf
file. Hex values are now specified with a leading hash mark to
distinguish them from symbolic names.
The "level" and "category" rules were dropped because, as alluded to in
another thread, SELinux does not expose knowledge of the MLS field to
the end user. The only call available in the SELinux API is a dominance
check, hence I had to combine those two rules into a single "range" rule.
New example conf file attached.
--
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency
[-- Attachment #2: secolor.conf --]
[-- Type: text/plain, Size: 1322 bytes --]
#
# Color translation table for SELinux
#
# The color mechanism supports separate foreground/background color pairs for
# each component of the context (user, role, type, and range).
# Shell-style wildcards are supported in user, role, and type patterns.
#
# Colors are specified as hexadecimal RGB values. Each line must contain
# two colors separated by whitespace: a foreground (text) color and
# background (area) color.
#
# It is not generally necessary to define colors for all five components of
# the context. The color mechanism will borrow colors from other components
# as necessary. For example if no user, role, or type statements are present,
# the matching engine will use the range color for all four components.
#
# Color definitions
color red = #ff0000
color green = #00ff00
color blue = #0000ff
color yellow = #ffff00
color black = #000000
color white = #ffffff
# Example non-MLS color configuration
# Display sysadm/system in black-on-red
#role sysadm_r = black red
#role system_r = black red
# Display staff in black-on-yellow
#role staff_r = black yellow
# Display everything else in yellow-on-green
#role * = yellow green
# Example MLS color configuration
range s0:c0.c255 = yellow green
range s1:c0.c255 = red yellow
range s2:c0.c255 = yellow red
range s15:c0.c255 = #ffff00 #ff00ff
next prev parent reply other threads:[~2008-12-18 20:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-22 3:59 [RFC] Add color translation support to mcstransd Eamon Walsh
2008-11-22 4:22 ` Joe Nall
2008-11-24 19:25 ` Eamon Walsh
2008-12-05 22:16 ` Xavier Toth
2008-12-06 0:31 ` Eamon Walsh
2008-12-06 1:12 ` Eamon Walsh
2008-12-06 3:41 ` Russell Coker
2008-12-08 19:47 ` Eamon Walsh
2008-12-11 21:35 ` Eamon Walsh
2008-12-24 16:23 ` Xavier Toth
2009-01-01 0:01 ` Eamon Walsh
2009-01-05 22:49 ` Daniel J Walsh
2008-12-17 16:50 ` Xavier Toth
2008-12-18 20:14 ` Eamon Walsh [this message]
2008-12-19 15:24 ` Xavier Toth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=494AAF0A.4040109@tycho.nsa.gov \
--to=ewalsh@tycho.nsa.gov \
--cc=joe@nall.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.