[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: [redhat-lspp] Getting rid of multilevel objects
- From: Chad Hanson <chanson TrustedCS com>
- To: Joe Nall <joe nall com>, Chad Hanson <chanson TrustedCS com>
- Cc: casey schaufler-ca com, lspp-list <redhat-lspp redhat com>, Klaus Weidner <klaus atsec com>
- Subject: RE: [redhat-lspp] Getting rid of multilevel objects
- Date: Wed, 5 Jul 2006 17:38:29 -0400
>
> Directories are not ranged, but have to satisfy the constraint that
> the directory contents must dominate the directory. To create a file
> in a directory with a lower classification, the creating
> process must
> have the allowmacwrite privilege. Directory relabels are only
> possible if the directory is empty.
>
Doesn't this statement imply the directory is ranged from the
label to SystemHigh?
If a directory is U and a U and S process can write into it, I would
consider this ranged. I know PitBull has ranged directories.
Whether the maximum is SystemHigh or a maximum SL is merely an
implementation detail.
Back to the original question, on the desire of having multi-level
objects I could probably go either way.
-Chad
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]