From: Dominick Grift <dominick.grift@defensec.nl>
To: Paul Moore <paul@paul-moore.com>
Cc: selinux@vger.kernel.org
Subject: Re: [SELinux-notebook PATCH v2] objects.md: some clarifications
Date: Wed, 15 Jul 2020 09:56:32 +0200 [thread overview]
Message-ID: <ypjlsgdtfbyn.fsf@defensec.nl> (raw)
In-Reply-To: <CAHC9VhRNWLQAVzOnei5Hne8k7nXQkoQkY7txBov_rNMhKHNCFw@mail.gmail.com> (Paul Moore's message of "Tue, 14 Jul 2020 22:15:17 -0400")
Paul Moore <paul@paul-moore.com> writes:
> On Fri, Jul 10, 2020 at 3:14 AM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> v2: fixes patch description
>> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
>
> Thanks for the patch, but just like any other project, it would be
> nice to see a patch description here. You can also move the changelog
> portion of the patch below a "--" delimiter so it doesn't get caught
> up in the main description (changelogs aren't quite as useful once the
> patch has been committed to the tree).
Thanks. I will redo it
>
>> ---
>> src/objects.md | 24 ++++++++++++++++++++++--
>> 1 file changed, 22 insertions(+), 2 deletions(-)
>
> ...
>
>> @@ -269,6 +275,20 @@ and manage their transition:
>>
>> `type_transition`, `role_transition` and `range_transition`
>>
>> +SELinux-aware applications can enforce a new label (with the policies
>
> As someone who is barely fluent in one language I hate to criticize
> others when they are writing in their non-native language, but I think
> this should be "policy's" not "policies".
I appreciate these corrections and will apply that with a v3
>
>> +approval of course) using the **libselinux** API functions. The
>> +`process setexec`, `process setkeycreate` and `process setsockcreate`
>> +access vectors can be used to allow subjects to label processes,
>> +kernel keyrings, and sockets programmatically using the
>> +***setexec**(3)*, ***setkeycreatecon**(3)* and
>> +***setsockcreatecon**(3)* functions respectively, overriding
>> +transition statements.
>> +
>> +The `kernel` and `unlabeled` **initial security identifiers** are used
>> +to associate specified labels with subjects that were left unlabeled
>> +due to initialization or with subjects that had their label
>> +invalidated due to policy changes at runtime respectively.
>
> That looks like a good definition for "unlabeled", but it doesn't look
> like you've defined the "kernel" isid?
I did (note the "respectively") but maybe I wrote it down in a less than optimal way?:
kernel: "are used to associate specified labels with subjects that were
left unlabeled due to initialization"
unlabeled: "(are used to associate specified labels) with subjects that
had their label invalidated due to policy changes at runtime"
>
>> ### Object Reuse
>>
>> As GNU / Linux runs it creates instances of objects and manages the
>> --
>> 2.27.0
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2020-07-15 7:56 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-10 7:09 [SELinux-notebook PATCH] onjects.md: some clarifications Dominick Grift
2020-07-10 7:14 ` [SELinux-notebook PATCH v2] objects.md: " Dominick Grift
2020-07-13 10:45 ` Richard Haines
2020-07-15 2:15 ` Paul Moore
2020-07-15 7:56 ` Dominick Grift [this message]
2020-07-16 11:18 ` [SELinux-notebook PATCH v3] " Dominick Grift
2020-07-16 12:17 ` [SELinux-notebook PATCH v4] " Dominick Grift
2020-07-17 1:36 ` Paul Moore
2020-07-17 6:41 ` Dominick Grift
2020-07-18 6:40 ` [SELinux-notebook PATCH v5] " Dominick Grift
2020-07-19 9:44 ` [SELinux-notebook PATCH v6] " Dominick Grift
2020-07-21 17:44 ` Stephen Smalley
2020-07-21 19:51 ` [SELinux-notebook PATCH v7] " Dominick Grift
2020-07-21 20:02 ` [SELinux-notebook PATCH v8] " Dominick Grift
2020-07-21 20:14 ` Dominick Grift
2020-07-22 16:48 ` Stephen Smalley
2020-07-22 16:57 ` Dominick Grift
2020-07-22 17:32 ` Stephen Smalley
2020-07-23 8:13 ` Dominick Grift
2020-07-23 12:22 ` Stephen Smalley
2020-07-23 13:04 ` Dominick Grift
2020-07-23 13:24 ` Stephen Smalley
2020-07-23 13:37 ` Dominick Grift
2020-07-24 7:54 ` Dominick Grift
2020-07-24 12:23 ` Stephen Smalley
2020-07-24 12:29 ` Dominick Grift
2020-07-24 12:56 ` Stephen Smalley
2020-07-24 13:06 ` Dominick Grift
2020-07-24 13:26 ` Stephen Smalley
2020-07-24 13:30 ` Dominick Grift
2020-07-22 17:29 ` Dominick Grift
2020-07-22 15:11 ` Stephen Smalley
2020-07-23 7:50 ` [SELinux-notebook PATCH v9] " Dominick Grift
2020-07-23 12:00 ` Stephen Smalley
2020-07-27 13:43 ` Stephen Smalley
2020-07-28 2:17 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlsgdtfbyn.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.