From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 27 Jun 2012 10:17:49 -0400
Subject: [refpolicy] [PATCH v3 1/3] Support read/append/manage functions
 for various httpd content
In-Reply-To: <1340745030.12652.15.camel@x220.mydomain.internal>
References: <20120624110736.GA995@siphos.be> <20120624110826.GB995@siphos.be>
	<4FE9B7AD.6010707@tresys.com>
	<1340719037.12652.6.camel@x220.mydomain.internal>
	<4FE9C15D.6050405@tresys.com> <20120626203841.GA19892@siphos.be>
	<1340745030.12652.15.camel@x220.mydomain.internal>
Message-ID: <4FEB160D.7040508@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 06/26/12 17:10, Dominick Grift wrote:
> On Tue, 2012-06-26 at 22:38 +0200, Sven Vermeulen wrote:
> 
>>
>> And while I'm on it, what is the difference between a spec_domtrans and a
>> regular one? Is that only that the transition doesn't occur automatically
>> (i.e. the application has to be SELinux-aware to use it)?
> 
> A spec domtrans allows you to specify a target domain.
> 
> A normal domtrans takes a single parameter (source) domain.
> 
> A spec domtrans takes two parameters (source domain) target domain.

Actually Sven is right on this one.  Its supposed to be the difference between an automatic domain transition (via type_transition) and specifying the transition in SELinux-aware code (via setexec).  See misc_patterns.spt.

Perhaps we should change "spec" to "setexec" to try to clarify.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com