Re: [RFC] [PATCH] Replace security fields with hashtable

From: Stephen Smalley (sds@private)
Date: Fri Oct 29 2004 - 07:53:31 PDT

On Fri, 2004-10-29 at 10:47, Colin Walters wrote:
> On idea occurred to me: Could you express this as a constraint based on
> the SELinux user identity (rather than the uid, which is untrustworthy).
> Something like this:
> constrain lnk_file read ( t2 != tmpfile or u1 == u2 );
> We'd just need a new attribute 'tmpfile' to mark all types like tmp_t
> and derived ones such as user_tmp_t.  You still need to give each
> individual user their own SELinux identity, but they can still be
> user_t.

tmpfile and user_tmpfile attributes actually exist already.

Stephen Smalley <sds@private>
National Security Agency

This archive was generated by hypermail 2.1.3 : Fri Oct 29 2004 - 07:57:52 PDT