On Fri, 2006-12-08 at 07:47 +1100, Russell Coker wrote: > On Friday 08 December 2006 07:11, Stephen Smalley <[EMAIL PROTECTED]> wrote: > > Note however that the parallel thread on redhat-lspp has proposed using > > Dan's patch (with fixes) for now to get the desired behavior for MLS, > > renaming the current "context" option in namespace.conf to "level" to be > > specific to level instantiation, and later introduce "role" or "context" > > for role-based and/or full context instantiation when/if such support > > exists in the kernel and/or policy. > > Having the choice of instantiating by level, role, or by full context seems > like a useful feature to me.
Yes, although it somewhat breaks the intended encapsulation of the context and security_compute_member interface. At that point the level returned by security_compute_member becomes rather irrelevant - it would always be overridden by the logic in pam_namespace itself based on whether "level" was specified. -- Stephen Smalley National Security Agency -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
