On Thu, Jan 13, 2005 at 11:44:31AM -0500, Stephen Smalley wrote:
> On Wed, 2005-01-12 at 18:01, Luke Kenneth Casson Leighton wrote:
> > 2 ) even if they did chcon -t "F1,F2" foobar, you would still expect
> > them to be doing that as an "interim" measure whilst they were
> > testing something _pending_ formal analysis by putting that
> > into the policy files.
>
> BTW, idle question: how do you decide whether to allow setting such
> combinations on a file?

 i thought that it would be because the "intermediate" stage would have  generated a filetype called "F1,F2" which may actually only require  some extensions etc. to simply add "," as an allowed character in the  file types and the policy compiler.

 and there would therefore be in the policy.conf file lots of things  like "allow F1,F2 such-and-such".

 i thought that the only tricky bit would be at policy compile-time to  have to run through the complete list of files on the filesystem (which  is done by setfiles _anyway) making a distinction between the overlap  of the regexp associated with F1 and the regexp associated with F2.

 l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.