[redhat-lspp] [PATCH] setrans - selinux translation daemon
Stephen Smalley
sds at tycho.nsa.gov
Mon May 1 16:20:49 UTC 2006
On Mon, 2006-05-01 at 11:04 -0500, LC Bruzenak wrote:
> On Fri, 2006-04-28 at 17:46 -0400, Daniel J Walsh wrote:
> > Stephen Smalley wrote:
> > > On Wed, 2006-04-26 at 16:12 -0500, Chad Hanson wrote:
> > >
> > >> I am attaching the following patches as an initial framework for the SELinux
> > >> translation daemon.
> > >>
> > >> The patches include functionality in the following areas: daemon, client,
> > >> initialization, and initial policy.
> > >>
> > >> After implementing, we should change the file contexts of the translation
> > >> configuration files to SystemHigh. A label arbitration routine needs to be
> > >> added into the daemon to determine whether caller should be able translate
> > >> the requested labels.
> > >>
> > >
> > > What is your view on just folding the client-side functionality into
> > > libselinux itself, and dropping the use of libsetrans as a separate
> > > library entirely? Since the actual translation functionality will live
> > > in the daemon, libsetrans seems unnecessary, and this would avoid both
> > > the overhead and the problems associated with dlopen'ing libsetrans from
> > > libselinux (including enabling the translation support to work from
> > > statically linked programs)?
> > >
> > >
> > Yes lets drop libsetrans and replace it with setrans daemon.
>
> Does that mean that user space apps will need to call out to a daemon
> for label decisions vice using the library translation?
Yes, that was the plan regardless of whether libsetrans stayed as a
separate library or not; in either case, you would end up with the
client ultimately calling a local daemon for the actual translation.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list