Re: Many to one translations in setrans.conf

[Daniel J Walsh <dwalsh redhat com>]

Joe Nall wrote:
> We have been using /etc/selinux/mls/setrans.conf files that use 
> multiple equivalent translations to support common aliases. For example:
>
> s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU
> s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU
> s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU
> s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR
> s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR
> s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR
>
> This has the effect of mapping all of these labels to a common 
> context. This context maps back to the first translation 
> (CONFIDENTIAL//REL FU).
>
> 'semanage translation -a -T ...'  has different behavior. When a 
> translation is added, it rewrites the file using the last (C O N F I D 
> E N T I A L RELEASABLE TO BAR) translation and deletes the other 
> translations. It also moves all of the comments to the top, moving 
> them away from the translation they are documenting.
>
> Should we be using this many to one behavior to support aliases? Is it 
> broken in other ways that we have not discovered yet?
No I think this is fine, but the tool is probably broken.
> joe
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list