On May 28, 2007, at 16:38:38, Pavel Machek wrote:
quoted text
> Kyle Moffett wrote:
>> I am of the opinion that adding a  "name" parameter to the file/ 
>> directory create actions would be useful.  For example, with such  
>> support you could actually specify a  type-transition rule  
>> conditional on a specific name or substring:
>>
>> named_type_transition sshd_t tmp_t:sock_file prefix "ssh-"  
>> ssh_sock_t;
>>
>> Useful options for matching would be "prefix", "suffix", "substr  
>> (start,len)".  "regex" would be nice but is sorta computationally  
>> intensive and would be likely to cause more problems than it solves.
>
> Could someone implement this? AFAICT that prevents SELinux from  
> being superset of AppArmor... Doing this should be significantly  
> simpler than whole AA, and hopefully it will end up less ugly, too.

Really it would need to extend all action-match items with new  
"named_" equivalents, and most callbacks would need to be extended to  
pass in an object name, if available.  On the other hand, with such  
support implemented then the AppArmor policy compilation tools could  
be transformed into a simple SELinux policy generator.  I estimate  
that the number of new lines of kernel code for such a modified  
SELinux would be 100x less than the kernel code in AppArmor.

Cheers,
Kyle Moffett

-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/