Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC & PATCH] inherited type definition.
From: Kaigai Kohei <kaigai_at_ak.jp.nec.com>
Date: Wed, 16 Mar 2005 13:35:36 +0900
> Not exactly - that is certainly one problem, but the main problem is that I want OK, I have misunderstood about your concern. BTW, I don't think your 'group of types' idea conflicts with my patch. Because the results of "TYPE ... EXTENDS" look like two similar type/domain in binary level, any existing tools can handle the generated policy binary without any problems. (Thus, I adopted sediff to check the patched checkpolicy.) How does your ideas work ? and, how does conflict with "TYPE ... EXTENDS" approach?
>>This look like the usage of ATTRIBUTE. But we can't define Yes, those works similarly. But current implementation of attribute doesn't permit such a usage. In above example, generic_ssh is attached some attributes, but we can't attach any attributed to attribute on current checkpolicy. Because "TYPE ... EXTENDS" statement is implemented by existing attribute implementation, this extension has similar functionality is natural. This extensiton make it possible to define multiple-layer type/domain with minimum modification and enough compatibility.
> It may be easier, but it is fundamentally dangerous. A user that simply extends Since we can't enforce end-user to apply specific configuration, it's possible to happen an excessive access in anywhere. I think end-user should select the best way corresponding to own skill and so on. Providing another options is not bad. Thanks, -- DO NOTHING IS THE WORST POLICY. KaiGai Kohei <kaigai@kaigai.gr.jp> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 15 Mar 2005 - 23:41:32 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |