On Fri, 28 May 2004 11:51:38 CDT, Bob Gustafson <bobgus(a)rcn.com> said:
>/datastore/mydata(/.*)?
system_u:object_r:mysqld_db_t
>/datastore(/.*)? system_u:object_r:mysqld_db_t
>
> (Hint - what happens if there's a /datastore/otherstuff directory?)
Assuming that /datastore/mydata(/.*) is more restrictive than
/datastore(/.*), the testing probe could be a small program that 'looks
like' mysqld (assumes same roles with same selinux tags as mysqld) which
tries to access files in the 'crack' between /datastore/mydata and
/datastore. As part of the testing procedure, files could be dropped in the
'crack' for this test program to access.
Yes. However, you just forgot to verify that SAS still works when accessing
its datasets in /datastore/otherstuff because it's labeled mysql_db_t instead
of whatever it should have been for SAS...
Or maybe it wasn't SAS, but Mathematica. Or was it that other app???
(Yes, it was a trick question to make a point....)