|Main Archive Page > Month Archives > selinux archives|
-----BEGIN PGP SIGNED MESSAGE-----
On 04/28/2010 10:25 AM, Karl MacMillan wrote:
I understand, although I don't agree with penalizying because you match
on an attribute, Currently if I wrote this interface the way I want,
with just the attribute your algorithm would not find it at all.
files_read_etc_files to me means match all config files in the /etc
directory, just because some random application decides to change the
context of /etc/hostname to etc_runtime_t or net_conf_t, we should not
need to change all domains that are supposed to read generic files in
/etc. Especially when I don't even need to read them.
I would argue that
allow X etc_t:file read;
allow X configfile:file read;
Should be weighted equivalently if etc_t is a configfile or only
slightly heavier, and just because etc_runtime_t or some other random
types are configfile does not mean we need to add weight.
But when the attribute adds more weight then "write" does, I think the
algorithm is broken.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
-- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to firstname.lastname@example.org with the words "unsubscribe selinux" without quotes as the message.