Many to one translations in setrans.conf
Joe Nall
joe at nall.com
Wed Apr 11 15:55:34 UTC 2007
We have been using /etc/selinux/mls/setrans.conf files that use
multiple equivalent translations to support common aliases. For example:
s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU
s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU
s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU
s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR
s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR
s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR
This has the effect of mapping all of these labels to a common
context. This context maps back to the first translation
(CONFIDENTIAL//REL FU).
'semanage translation -a -T ...' has different behavior. When a
translation is added, it rewrites the file using the last (C O N F I
D E N T I A L RELEASABLE TO BAR) translation and deletes the other
translations. It also moves all of the comments to the top, moving
them away from the translation they are documenting.
Should we be using this many to one behavior to support aliases? Is
it broken in other ways that we have not discovered yet?
joe
More information about the fedora-selinux-list
mailing list