On Tue, 2006-10-31 at 09:24 -0500, Stephen Smalley wrote: > On Tue, 2006-10-31 at 09:23 -0500, Stephen Smalley wrote: > > > > In addition to the permission name, I'd have expected the rule (and the > > check in the code) to always use the same type in both contexts, so the > > rules could just be: > > allow $1 self:context <permissionname>; > > > > Not allow $1 domain:context, which will yield many more rules without > > any real justification.
Ok, I can fix that to be just self:context.
> I'm also unclear as to what you are checking - you seem to be putting
> this in authlogin, but I had expected this to be a check between two
> user contexts, identical in all respects except for the MLS ranges (one
> from seusers, one from the user-supplied input).
AIUI the code in authlogin allows all of the login type programs (like
getty) to call the check. The check being performed is in policy/mls and
is just:
mlsconstrain context transition
( h1 dom h2 );
...have I misunderstood this?
--
James Antill <[EMAIL PROTECTED]>
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
