Many to one translations in setrans.conf
Daniel J Walsh
dwalsh at redhat.com
Wed Apr 11 16:02:11 UTC 2007
Joe Nall wrote:
> We have been using /etc/selinux/mls/setrans.conf files that use
> multiple equivalent translations to support common aliases. For example:
>
> s2:c1.c225,c227.c253=CONFIDENTIAL//REL FU
> s2:c1.c225,c227.c253=C O N F I D E N T I A L REL FU
> s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO FU
> s2:c1.c225,c227.c253=CONFIDENTIAL//REL BAR
> s2:c1.c225,c227.c253=C O N F I D E N T I A L REL BAR
> s2:c1.c225,c227.c253=C O N F I D E N T I A L RELEASABLE TO BAR
>
> This has the effect of mapping all of these labels to a common
> context. This context maps back to the first translation
> (CONFIDENTIAL//REL FU).
>
> 'semanage translation -a -T ...' has different behavior. When a
> translation is added, it rewrites the file using the last (C O N F I D
> E N T I A L RELEASABLE TO BAR) translation and deletes the other
> translations. It also moves all of the comments to the top, moving
> them away from the translation they are documenting.
>
> Should we be using this many to one behavior to support aliases? Is it
> broken in other ways that we have not discovered yet?
>
No I think this is fine, but the tool is probably broken.
> joe
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the selinux
mailing list