SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: [ PATCH ] X clients cleanup Patch #3 This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Ivan Gyurdiev <ivg2_at_cornell.edu> Date: Sat, 02 Apr 2005 10:43:09 -0500 On Sat, 2005-04-02 at 22:27 +1000, Russell Coker wrote: > On Saturday 02 April 2005 22:04, Daniel J Walsh <dwalsh@redhat.com> wrote: > > Do we want to remove tmpfs_domain from base_user_domain. I would prever > > to have policy where X privs for users is optional. > > Think eventually about loadable modules, where you have a X user support > > module. Server users need a lot less privs. > > When you say "X is optional" do you mean to have a boolean or to have it > optional at compile time? > > If a boolean then we would probably have the boolean not stop tmpfs access. > If optional at compile time then we certainly want tmpfs_domain in > base_user_domain. > > I think that in any case we probably want tmpfs_domain in base_user_domain > just for best structure of policy. How do I prevent the tmpfs type from being declared twice (causing a compile error)? Can't put it in both x_client and user, and other domains don't declare a tmpfs_domain themselves - they rely on x_client to do it for them. I didn't like this either, but removing tmpfs_domain from x_client also seemed like a bad idea - it causes denials for everything. Moving it into the individual domains is a problem, because then you're relying on a type in x_client that might not have been declared. -- Ivan Gyurdiev <ivg2@cornell.edu> Cornell University -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Sat 2 Apr 2005 - 10:38:49 EST This message: [ Message body ] Next message: Ivan Gyurdiev: "hal - denials" Previous message: Russell Coker: "Re: conferences" In reply to: Russell Coker: "Re: [ PATCH ] X clients cleanup Patch #3" Next in thread: Ivan Gyurdiev: "Re: [ PATCH ] X clients cleanup Patch #3" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom