|Main Archive Page > Month Archives > selinux archives|
On Tue, 2010-01-26 at 12:52 -0500, Stephen Smalley wrote:
> Alternatively to spending time on documenting the current limitation, it
> might be more interesting to try removing the restriction from the
> SELinux kernel code and investigating what needs to be done within the
> kernel to enable it to be done safely. Primarily this would mean:
> - pushing the selinux_mls_enabled flag inside the policydb so that it
> could be per-policydb (this is already the case in libsepol),
> - in the non-MLS to MLS case, ensuring that the MLS fields of the
> context for all existing entries in the sidtab are filled in with a
> suitable default value, likely taken from one of the initial SIDs,
> - in the MLS to non-MLS case, freeing any storage used by the MLS fields
> in the context for all existing entries in the sidtab.
FYI, both of the latter two items would be handled inside of ss/services.c:convert_context(). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to email@example.com with the words "unsubscribe selinux" without quotes as the message.