[redhat-lspp] userdomain policy question ..
Klaus Weidner
klaus at atsec.com
Tue Aug 8 16:36:09 UTC 2006
On Tue, Aug 08, 2006 at 09:26:33AM -0700, Casey Schaufler wrote:
> On Irix (which uses xattrs extensively)
> changes to the xattrs are explictly audited
> under the same circumstances that would
> warrent changes to traditional attributes.
> Any change to an xattr in the security space
> (ACL, Capability set, MAC label) is audited
> if changes to traditional security attributes
> (owner, group, mode) are audited. This was
Explicit changes to attributes already get audited properly, the issue
here is setting the default label that will be used for objects created
in the future, similar to umask. It's for cases where an unprivileged
process has the right to choose between various SELinux types that the
MLS policy doesn't care about, but only privileged processes will have
the right to select the MLS label.
-Klaus
More information about the redhat-lspp
mailing list