--- Klaus Weidner <[EMAIL PROTECTED]> wrote:
> ... the issue > here is setting the default label that will be used > for objects created > in the future, similar to umask. It's for cases > where an unprivileged > process has the right to choose between various > SELinux types that the > MLS policy doesn't care about, but only privileged > processes will have > the right to select the MLS label. Yeah. Setting a passive security attribute of a process (e.g. the umask) may or may not be interpreted as a change in the security state of the system. It's painless to audit such a change. Since you're auditing the creation of the object that gets the attribute and including the MLS information of the process and of the newly created object that won't be a problem either. Casey Schaufler [EMAIL PROTECTED] -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
