From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 2 Jun 2014 11:12:44 -0400 Subject: [refpolicy] Do we need to keep "aliased" interfaces? In-Reply-To: <1401447241.7153.3.camel@x220.localdomain> References: <20140529165745.GA10882@siphos.be> <1401445749.6837.8.camel@x220.localdomain> <20140530104803.GA1540@siphos.be> <1401447241.7153.3.camel@x220.localdomain> Message-ID: <538C946C.30601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/30/2014 06:54 AM, Dominick Grift wrote: > On Fri, 2014-05-30 at 12:48 +0200, Sven Vermeulen wrote: > >> >> But are prefix domains still something we want to work on? I thought that >> proper desktop confinement is better done using the user-based access >> control constraints. > > I will leave that decision to you and others > > My opinion though: > UBAC does not deal with the fact that we need to be able to tell selinux > when a confined domain needs to execute an file in a calling user domain > (or another confined domain type derived from the calling user domain) The preference would be to keep a common domain and separate it with UBAC except for the cases, as Dominick states, have type transition problems. Su and sudo are examples where the domains are essentially equivalent, but they have derived types so the default transition is back to the calling domain on shell exec(). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com