Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: can_network patch.
From: Stephen Smalley <sds_at_epoch.ncsc.mil>
Date: Tue, 23 Nov 2004 14:06:47 -0500
My preference: Feel free to refactor can_network() into smaller macros that can_network() then includes, but don't change the overall set of permissions allowed by can_network(). Instead, change the calling domains to use the smaller macros as appropriate, e.g. can_tcp_server() for domains that just want bind/listen/accept (and the usual permissions for basic use of the socket), can_tcp_client() for domains that just want connect (and the usual permissions for basic use of the socket). If you are reading policy and you see can_network(), you should be able to assume unrestricted use of the network. If you see can_tcp_client(), you get a clear sense as to what that means. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Tue 23 Nov 2004 - 14:11:26 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |