Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: [RFC & PATCH] inherited type definition.
From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net>
Date: Thu, 24 Mar 2005 11:04:38 +0000
> > -----Original Message----- okay, i must have missed that. ... but, after a couple of days' thought, i don't believe that what i am suggesting is anything anywhere near the @ syntax, and it is in fact in response to some comments by stephen [where he mentioned that it would be better to split domains up further using macros than it would be to use this inheritance system with some modifications suggested by me, so off i went to think of some better modifications - clarification below]
> > > Next, my objection is that there is only one subset of that one set of permissions is inheritable via "extends" and other sets are not. the reason why i am suggesting this syntax is because stephen said that it would not be okay to split macros down into sub-macro in order to inherit/extend "subsets" of a domain. e.g. if you do user_ftp_t extends user_t where you have already declared some_macro(user) then it ends up inheriting ONLY those blocks of permissions containing "user_ftp_t" inside "inheritable { }" braces. ... so, after some thought, however, i believe we may be talking about two separate issues. the "inheritable" syntax i suggest above is a way to inherit SUBSETS of a domain, without disrupting the existing policy source too much (which i interpreted stephen's comments to mean) so, correct me if i am wrong, but the "@" syntax doesn't actually STOP something from being "extended", it just means that a different domain is inherited, yes? and your original question was: when you use A "extends" B and C "extends" B, and B contains "@"s, how do you potentially make A ignore the "@" but C _not_ ignore the "@"? if that was your original question, then that's easy: you use a syntax @(A) or @(A,Z,Y,X) I BELIEVE that the "inheritable" syntax above could be added as an enhancement to the existing proposed "extends" scheme, WITHOUT disrupting or having anything to do with the "@" syntax. the only question is: do you _want_ to use "inheritable" instead of splitting macros down into sub-macros to achieve the same end-result? which is simpler? which is easier to understand? does the "inheritable" syntax cause any potential disruption/confusion (beyond what the @ syntax already does if you ask me!!!!) l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Thu 24 Mar 2005 - 05:55:10 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |