SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Question: ROLE_file_type vs customizable This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ Next in thread ] [ Replies ] From: Ivan Gyurdiev <ivg2_at_cornell.edu> Date: Thu, 14 Apr 2005 16:20:06 -0400 What is the purpose of "$1_file_type". How does that differ from "customizable", besides embedding the user in the type? Should customizable be $1_customizable instead, and then there can be a centralized rule that allows ROLE_t relabelto/relabelfrom and other privileges to ROLE_customizable ? Here are all the allow rules associated with $1_file_type. Why is gpg able to write to every file type marked with this attribute? allow sysadm_gpg_t sysadm_file_type:dir { read getattr lock search ioctl add_name remove_name write }; allow sysadm_gpg_t sysadm_file_type:file { create ioctl read getattr lock write setattr append link unlink rename }; allow sysadm_gpg_t sysadm_file_type:lnk_file { create read getattr setattr link unlink rename }; allow user_gpg_t user_file_type:dir { read getattr lock search ioctl add_name remove_name write }; allow user_gpg_t user_file_type:file { create ioctl read getattr lock write setattr append link unlink rename }; allow user_gpg_t user_file_type:lnk_file { create read getattr setattr link unlink rename }; allow user_locate_t { home_root_t user_home_dir_t user_file_type }:dir { getattr search }; allow user_locate_t user_file_type:{ file lnk_file } { getattr read }; allow user_file_type user_home_t:filesystem associate; allow staff_gpg_t staff_file_type:dir { read getattr lock search ioctl add_name remove_name write }; allow staff_gpg_t staff_file_type:file { create ioctl read getattr lock write setattr append link unlink rename }; allow staff_gpg_t staff_file_type:lnk_file { create read getattr setattr link unlink rename }; allow staff_locate_t { home_root_t staff_home_dir_t staff_file_type }:dir { getattr search }; allow staff_locate_t staff_file_type:{ file lnk_file } { getattr read }; allow staff_file_type staff_home_t:filesystem associate; -- Ivan Gyurdiev <ivg2@cornell.edu> Cornell University -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 14 Apr 2005 - 16:17:46 EDT This message: [ Message body ] Next message: Paul Moore: "Re: You mentioned somewhere there is a step by step guide to getting the MLS policy installed on a machine?" Previous message: Karl MacMillan: "RE: dcache_lock deadlock due to auditing" Next in thread: Daniel J Walsh: "Re: Question: ROLE_file_type vs customizable" Reply: Daniel J Walsh: "Re: Question: ROLE_file_type vs customizable" Reply: Daniel J Walsh: "Re: Question: ROLE_file_type vs customizable" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom