[redhat-lspp] Re: mcstransd question
Stephen Smalley
sds at tycho.nsa.gov
Mon Oct 2 19:34:11 UTC 2006
On Mon, 2006-10-02 at 15:06 -0400, Linda Knippers wrote:
> Stephen Smalley wrote:
> > For the translation daemon itself, you might want a libselinux function
> > that lets you disable all translations (i.e. set a flag that is checked
> > on entry by selinux_trans_to_raw_context() and
> > selinux_raw_to_trans_context() and handled in the same manner as the !
> > mls_enabled case). Then the translation daemon could just call any
> > libselinux function without needing to worry about accidentally
> > triggering a communication to itself.
>
> I threw together a couple of patches. Is this what you had in mind?
Essentially, yes. I'd call it selinux_set_translation() instead, since
it can be used to subsequently re-enable them as well. The libselinux
patch needs to go to selinux list.
On the mcstransd patch, it would be more flexible if we introduced a
separate class and permission for translations so that one could e.g.
configure translation-related policy differently than the file access
policy, although that naturally requires a patch to define the
class/perm for refpolicy and a patch for libselinux for the regenerated
headers.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list