[redhat-lspp] Getting rid of multilevel objects
Chad Hanson
chanson at TrustedCS.com
Wed Jul 5 21:38:29 UTC 2006
>
> Directories are not ranged, but have to satisfy the constraint that
> the directory contents must dominate the directory. To create a file
> in a directory with a lower classification, the creating
> process must
> have the allowmacwrite privilege. Directory relabels are only
> possible if the directory is empty.
>
Doesn't this statement imply the directory is ranged from the
label to SystemHigh?
If a directory is U and a U and S process can write into it, I would
consider this ranged. I know PitBull has ranged directories.
Whether the maximum is SystemHigh or a maximum SL is merely an
implementation detail.
Back to the original question, on the desire of having multi-level
objects I could probably go either way.
-Chad
More information about the redhat-lspp
mailing list