Re: [RFC] [PATCH] Replace security fields with hashtable

From: Stephen Smalley (sds@private)
Date: Fri Oct 29 2004 - 07:53:31 PDT

Previous message: Colin Walters: "Re: [RFC] [PATCH] Replace security fields with hashtable"
In reply to: Colin Walters: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Next in thread: Thomas Bleher: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Next in thread: Valdis.Kletnieks@private: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2004-10-29 at 10:47, Colin Walters wrote:
> On idea occurred to me: Could you express this as a constraint based on
> the SELinux user identity (rather than the uid, which is untrustworthy).
> 
> Something like this:
> 
> constrain lnk_file read ( t2 != tmpfile or u1 == u2 );
> 
> We'd just need a new attribute 'tmpfile' to mark all types like tmp_t
> and derived ones such as user_tmp_t.  You still need to give each
> individual user their own SELinux identity, but they can still be
> user_t.

tmpfile and user_tmpfile attributes actually exist already.

-- 
Stephen Smalley <sds@private>
National Security Agency

Previous message: Colin Walters: "Re: [RFC] [PATCH] Replace security fields with hashtable"
In reply to: Colin Walters: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Next in thread: Thomas Bleher: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Next in thread: Valdis.Kletnieks@private: "Re: [RFC] [PATCH] Replace security fields with hashtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 07:57:52 PDT