LSM site down!

LSM site down!

[Masoom Alam]

Hi,

If any body can kindly update me on current the status
of lsm.immunix.org/ website.
Is it avialable under a new name? or it is down for
maintaince, or no longer will be available.

Thank You,
MA


		
___________________________________________________________ 
What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: LSM site down!

[Stephen Smalley]

On Sat, 2007-03-10 at 16:29 +0000, Masoom Alam wrote:
> Hi,
> 
> If any body can kindly update me on current the status
> of lsm.immunix.org/ website.
> Is it avialable under a new name? or it is down for
> maintaince, or no longer will be available.

It was taken down by its maintainers (not us), and the mailing list was
moved to vger.kernel.org.
Subscription info is at:
http://vger.kernel.org/vger-lists.html#linux-security-module
Unofficial mailing list archives are at:
http://marc.theaimsgroup.com/?l=linux-security-module

Note that the LSM framework was merged into mainline Linux during the
2.5 development series and is included in the Linux 2.6 stable series,
so there is no longer any need for kernel patches for LSM.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Some good reference for stacking SELinux LSM

[JanuGerman]

Hi All,

I am new bie in SELinux and need some good reference
for stacking a security module upon SELinux LSM.
Currently i have the document "Implementing SELinux as
a LInux Security Module". Any pointer to some other
document will be highly appreciated.

Best Regards,
MA


		
___________________________________________________________ 
The all-new Yahoo! Mail goes wherever you go - free your email address from your Internet provider. http://uk.docs.yahoo.com/nowyoucan.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Some good reference for stacking SELinux LSM

[Stephen Smalley]

On Mon, 2007-03-12 at 13:29 +0000, JanuGerman wrote:
> Hi All,
> 
> I am new bie in SELinux and need some good reference
> for stacking a security module upon SELinux LSM.
> Currently i have the document "Implementing SELinux as
> a LInux Security Module". Any pointer to some other
> document will be highly appreciated.

We don't recommend stacking of security modules, and SELinux only
supports such stacking for the trivial case where only it uses the
security fields (as with capabilities).  Some prior discussions of this
topic:
http://marc.info/?l=selinux&m=116897135223285&w=2
http://marc.info/?l=selinux&m=116964869224041&w=2

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Confirmation about task_has_security in selinuxfs.c

[JanuGerman]

Hi All,

I wanted to confirm that the function
"task_has_security" is the one which interacts with
the Security Server for access decisions? and the
variable "tsec" is the one which stores and conveys
the ultimate access decision by the SELinux Security
Server.

According to documentation, the SELinux FileSystem
interacts with the Security Server, which further
checks the possiblity of a decision stored in the
Access Vector Cache.


If Not, kindly guide me for the location responsible
for the interaction with the security server. 

Thank You,
MA





		
___________________________________________________________ 
All New Yahoo! Mail – Tired of unwanted email come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[Stephen Smalley]

On Tue, 2007-03-13 at 10:29 +0000, JanuGerman wrote:
> Hi All,
> 
> I wanted to confirm that the function
> "task_has_security" is the one which interacts with
> the Security Server for access decisions? and the
> variable "tsec" is the one which stores and conveys
> the ultimate access decision by the SELinux Security
> Server.
> 
> According to documentation, the SELinux FileSystem
> interacts with the Security Server, which further
> checks the possiblity of a decision stored in the
> Access Vector Cache.
> 
> 
> If Not, kindly guide me for the location responsible
> for the interaction with the security server. 

The security server interface is defined in
security/selinux/include/security.h, and implemented in
security/selinux/ss/services.c (the ss/ subdirectory contains all of the
security server code).  The selinuxfs implementation in
security/selinux/selinuxfs.c uses those interfaces to get security
decisions.  Also, the selinuxfs implementation performs permission
checks to control what processes can use its interfaces, and those
checks are performed using task_has_security, which calls the AVC, which
uses a cached decision if present or calls the security server on a
cache miss.  tsec is just a pointer to the task's security state; it
isn't an access decision.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[JanuGerman]

Hi Stephen,

Is the following lines in the selinuxfs.c that gets
the final decision from the security server:

length = security_compute_av(ssid, tsid, tclass, req,
&avd);
        if (length < 0)
               goto out2;
...


Actually, i am intrested in locating the last point at
which the selinuxfs.c communicates with the security
server for an access decision (no matter cached or
not) and then conveys back the decision to the LSM
hook. 

Alternatively, the point, at which the DAC checks are
again checked by the LSM hook, which query the SElinux
LSM. I have checked the "security.c", which contains
the SELinux LSM hook registration but did not succeed
to locate the point, where all these calls are taking
place.

Thank You,
MA








		
___________________________________________________________ 
What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[Stephen Smalley]

On Tue, 2007-03-13 at 15:01 +0000, JanuGerman wrote:
> Hi Stephen,
> 
> Is the following lines in the selinuxfs.c that gets
> the final decision from the security server:
> 
> length = security_compute_av(ssid, tsid, tclass, req,
> &avd);
>         if (length < 0)
>                goto out2;
> ...

For that particular call, yes.

> Actually, i am intrested in locating the last point at
> which the selinuxfs.c communicates with the security
> server for an access decision (no matter cached or
> not) and then conveys back the decision to the LSM
> hook.

You seem to misunderstand the purpose of selinuxfs.  selinuxfs is a
pseudo filesystem interface between applications and the SELinux kernel
module.  It isn't used by the LSM hooks called by the kernel.  The hook
functions are implemented in security/selinux/hooks.c.

> Alternatively, the point, at which the DAC checks are
> again checked by the LSM hook, which query the SElinux
> LSM. I have checked the "security.c", which contains
> the SELinux LSM hook registration but did not succeed
> to locate the point, where all these calls are taking
> place.

Perhaps an example would make things clearer.  During open(2)
processing, the fs/namei.c:permission() function is called to check
permissions.  That function first applies the usual Linux checks,
including DAC checks, and, if they pass, the function then calls the LSM
security_inode_permission() hook, which is defined by
include/linux/security.h.  If using SELinux, this hook will call
selinux_inode_permission() in security/selinux/hooks.c, which calls
inode_has_perm(), which calls avc_has_perm() in security/selinux/avc.c.
That is the access vector cache.  If there is a cache miss, then
avc_has_perm_noaudit() in avc.c will call security_compute_av() to get
the decision from the security server.  selinuxfs is not involved in
that code path.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[JanuGerman]

Hi Stephen,

Thanks for the response.


>From the discussion on this list and on the
linux-security-module, i deduce (kindly correct me, if
i am wrong) that the best option is not to have
another security LSM stacked to SELinux.

The remaining option with me, is that to include my
own module call within the fs/namei.c:permission(),
after the selinux_inode_permission() and/or
security_inode_permission() call.

For this, does i need some special procedure to follow
to register my own module with Linux kernel, or a
simple call to some module will be sufficed, followed
by the kernel re-compilation. This way, there will be
no conflict between the LSM of SELinux and a custom
security module in my opinion.

Further, within the security folder in the kernel
tree, the 2.6.20 linux kernel distribution is shipped
with a file root_plug.c (written by Greg
Kroah-Hartman), which is a classic introduction to
Linux Security Modules (LSM). The folder also contains
the folder of SELinux. In this context, whether
root_plug.c security module is stacked with the
SELinux security module or not.

Thank You,
MA








--- Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Tue, 2007-03-13 at 15:01 +0000, JanuGerman wrote:
> > Hi Stephen,
> > 
> > Is the following lines in the selinuxfs.c that
> gets
> > the final decision from the security server:
> > 
> > length = security_compute_av(ssid, tsid, tclass,
> req,
> > &avd);
> >         if (length < 0)
> >                goto out2;
> > ...
> 
> For that particular call, yes.
> 
> > Actually, i am intrested in locating the last
> point at
> > which the selinuxfs.c communicates with the
> security
> > server for an access decision (no matter cached or
> > not) and then conveys back the decision to the LSM
> > hook.
> 
> You seem to misunderstand the purpose of selinuxfs. 
> selinuxfs is a
> pseudo filesystem interface between applications and
> the SELinux kernel
> module.  It isn't used by the LSM hooks called by
> the kernel.  The hook
> functions are implemented in
> security/selinux/hooks.c.
> 
> > Alternatively, the point, at which the DAC checks
> are
> > again checked by the LSM hook, which query the
> SElinux
> > LSM. I have checked the "security.c", which
> contains
> > the SELinux LSM hook registration but did not
> succeed
> > to locate the point, where all these calls are
> taking
> > place.
> 
> Perhaps an example would make things clearer. 
> During open(2)
> processing, the fs/namei.c:permission() function is
> called to check
> permissions.  That function first applies the usual
> Linux checks,
> including DAC checks, and, if they pass, the
> function then calls the LSM
> security_inode_permission() hook, which is defined
> by
> include/linux/security.h.  If using SELinux, this
> hook will call
> selinux_inode_permission() in
> security/selinux/hooks.c, which calls
> inode_has_perm(), which calls avc_has_perm() in
> security/selinux/avc.c.
> That is the access vector cache.  If there is a
> cache miss, then
> avc_has_perm_noaudit() in avc.c will call
> security_compute_av() to get
> the decision from the security server.  selinuxfs is
> not involved in
> that code path.
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the
> selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as
> the message.
> 



		
___________________________________________________________ 
All New Yahoo! Mail – Tired of unwanted email come-ons? Let our SpamGuard protect you. http://uk.docs.yahoo.com/nowyoucan.html


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[Stephen Smalley]

On Tue, 2007-03-13 at 17:08 +0000, JanuGerman wrote:
> >From the discussion on this list and on the
> linux-security-module, i deduce (kindly correct me, if
> i am wrong) that the best option is not to have
> another security LSM stacked to SELinux.

Correct.

> The remaining option with me, is that to include my
> own module call within the fs/namei.c:permission(),
> after the selinux_inode_permission() and/or
> security_inode_permission() call.

The first question to ask is what are you trying to do with your module,
and could it be done through configuration of the existing SELinux
mechanism?  If so, you get to leverage all of the work that has gone
into SELinux to date and all the work that will continue to go into it
in the future.  Not only kernel work, but also userland integration,
policy development, policy tools, policy management infrastructure, etc.

Then, if SELinux truly can't provide what you need as is, the next
logical question is whether you could implement your extension as part
of the SELinux security server (interface defined by
security/selinux/include/security.h, code under security/selinux/ss/)
without requiring any changes to that interface, as the interface was
designed to support many different security models.  If so, you don't
need to modify anything outside of the ss/ subdirectory and you get to
leverage all of the rest of the SELinux kernel and userland support
unmodified.  Even if you do have to modify the security server interface
somewhat, if you can limit yourself to a small extension to that
interface and keep the bulk of your changes localized to the security
server, you reduce your divergence from mainline SELinux and thus
maximize your ability to leverage its existing facilities.

Only if neither of those avenues suffice should you consider modifying
the SELinux hook functions, the LSM hooks, or the core kernel.  And
naturally you would seek to do it in the least invasive manner possible,
so if you can do it within the SELinux hook functions, that would be
least invasive.

> For this, does i need some special procedure to follow
> to register my own module with Linux kernel, or a
> simple call to some module will be sufficed, followed
> by the kernel re-compilation. This way, there will be
> no conflict between the LSM of SELinux and a custom
> security module in my opinion.

Depends on your approach above and whether you are creating a general
facility for all such "modules" or just adding your own code.  We
wouldn't encourage arbitrary hooking of SELinux.

> Further, within the security folder in the kernel
> tree, the 2.6.20 linux kernel distribution is shipped
> with a file root_plug.c (written by Greg
> Kroah-Hartman), which is a classic introduction to
> Linux Security Modules (LSM). The folder also contains
> the folder of SELinux. In this context, whether
> root_plug.c security module is stacked with the
> SELinux security module or not.

We don't use root_plug, and it was only written as a toy example of a
LSM by Greg, not intended for production use.  You might be able to
stack it by virtue of the fact that it doesn't use the security fields,
but I don't why you would do so.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[JanuGerman]

> The first question to ask is what are you trying to
> do with your module,

I was intrested in LSM Stacking for my project. On
this line, i found that SELinux is also built using
LSM, and some kind of stacking mechanism is possible
with SELinux, though, this assumption proved it self
wrong.

Is this possible, to compile the SELinux LSM without
Kernel re-compilation (may be a stupid question).
Because it takes too much time to recompile the kernel
each time, a change is made.

Thank You,
JG





	
	
		
___________________________________________________________ 
New Yahoo! Mail is the ultimate force in competitive emailing. Find out more at the Yahoo! Mail Championships. Plus: play games and win prizes. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELinux configuration problems on Fedora Core 6

[JanuGerman]

Hi Every body,

 I am not able to configure the SELinux policy on the
Fedora Core 6 (2.6.20.1). There is no folder called
/etc/selinux/src/policy. Where as, in the all internet
documentation, this folder is referenced. Plus, there
is no sample policy shipped with the SELinux on
Fedora.

The refPolicy tool from tresys, tries to referece a
command called  /usr/bin/checkpolicy, which is also
not lodable. Is there is some problem with this kernel
version, or my installation did not went successful of
SELinux.

THanks.
JG


		
___________________________________________________________ 
What kind of emailer are you? Find out today - get a free analysis of your email personality. Take the quiz at the Yahoo! Mail Championship. 
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux configuration problems on Fedora Core 6

[JanuGerman]

...sorry to mention one thing that:

newrole -r SysAdmin_r is also not working and giving
the error:

'couldn't get default type'

Thanks,
JG


--- JanuGerman <doublemalam@yahoo.co.uk> wrote:

> Hi Every body,
> 
>  I am not able to configure the SELinux policy on
> the
> Fedora Core 6 (2.6.20.1). There is no folder called
> /etc/selinux/src/policy. Where as, in the all
> internet
> documentation, this folder is referenced. Plus,
> there
> is no sample policy shipped with the SELinux on
> Fedora.
> 
> The refPolicy tool from tresys, tries to referece a
> command called  /usr/bin/checkpolicy, which is also
> not lodable. Is there is some problem with this
> kernel
> version, or my installation did not went successful
> of
> SELinux.
> 
> THanks.
> JG
> 
> 
> 		
>
___________________________________________________________
> 
> What kind of emailer are you? Find out today - get a
> free analysis of your email personality. Take the
> quiz at the Yahoo! Mail Championship. 
>
http://uk.rd.yahoo.com/evt=44106/*http://mail.yahoo.net/uk
> 
> 
> --
> This message was distributed to subscribers of the
> selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as
> the message.
> 



		
___________________________________________________________ 
Copy addresses and emails from any email account to Yahoo! Mail - quick, easy and free. http://uk.docs.yahoo.com/trueswitch2.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[Stephen Smalley]

On Wed, 2007-03-14 at 06:25 +0000, JanuGerman wrote:
> > The first question to ask is what are you trying to
> > do with your module,
> 
> I was intrested in LSM Stacking for my project. On
> this line, i found that SELinux is also built using
> LSM, and some kind of stacking mechanism is possible
> with SELinux, though, this assumption proved it self
> wrong.
> 
> Is this possible, to compile the SELinux LSM without
> Kernel re-compilation (may be a stupid question).
> Because it takes too much time to recompile the kernel
> each time, a change is made.

SELinux is necessarily built-in, so you cannot rebuild it separately (as
you can do for genuine loadable kernel modules).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux configuration problems on Fedora Core 6

[Stephen Smalley]

On Thu, 2007-03-15 at 15:05 +0000, JanuGerman wrote:
> Hi Every body,
> 
>  I am not able to configure the SELinux policy on the
> Fedora Core 6 (2.6.20.1). There is no folder called
> /etc/selinux/src/policy. Where as, in the all internet
> documentation, this folder is referenced. Plus, there
> is no sample policy shipped with the SELinux on
> Fedora.

Starting in Fedora Core 5, SELinux support for loadable policy modules
was introduced, eliminating the need for installing the base policy
sources for local customizations.  Please read the Fedora SELinux wiki
pages and FAQ,
http://fedoraproject.org/wiki/SELinux/
http://fedora.redhat.com/docs/selinux-faq/

(There isn't yet a Fedora Core 6 SELinux FAQ, but the Fedora Core 5
information should still apply).

The base policy sources are available in the selinux-policy .src.rpm
file, but you don't generally need them to make local customizations.

> The refPolicy tool from tresys, tries to referece a
> command called  /usr/bin/checkpolicy, which is also
> not lodable. Is there is some problem with this kernel
> version, or my installation did not went successful of
> SELinux.

checkpolicy isn't installed by default in Fedora because it is only
needed if building your own policies.  Run:
yum install checkpolicy

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux configuration problems on Fedora Core 6

[Stephen Smalley]

On Thu, 2007-03-15 at 15:38 +0000, JanuGerman wrote:
> ...sorry to mention one thing that:
> 
> newrole -r SysAdmin_r is also not working and giving
> the error:
> 
> 'couldn't get default type'

The default policy in Fedora is "targeted", not "strict", and thus has
no notion of user roles and types (yet).  If you want those, you
presently need to switch to strict policy.  See the Fedora SELinux FAQ.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[JanuGerman]

Hi Stephen,
> Perhaps an example would make things clearer. 
> During open(2)
> processing, the fs/namei.c:permission() function is
> called to check
> permissions.  That function first applies the usual
> Linux checks,
> including DAC checks, and, if they pass, the
> function then calls the LSM
> security_inode_permission() hook, which is defined
> by
> include/linux/security.h.  

Within the fs/namei.c, there are two functions defined
for calling fs/namei.c:permission(), one is int
vfs_permission(struct nameidata *nd, int mask) and the
other is int file_permission(struct file *file, int
mask).

My question is that, which of the above two functions
is used to call fs/namei.c:permission() function in
the Linux 2.6 kernel, and which way is followed by
SELinux.

Best,
MA
















If using SELinux, this
> hook will call
> selinux_inode_permission() in
> security/selinux/hooks.c, which calls
> inode_has_perm(), which calls avc_has_perm() in
> security/selinux/avc.c.
> That is the access vector cache.  If there is a
> cache miss, then
> avc_has_perm_noaudit() in avc.c will call
> security_compute_av() to get
> the decision from the security server.  selinuxfs is
> not involved in
> that code path.
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the
> selinux mailing list.
> If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as
> the message.
> 



		
___________________________________________________________ 
Now you can scan emails quickly with a reading pane. Get the new Yahoo! Mail. http://uk.docs.yahoo.com/nowyoucan.html

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Confirmation about task_has_security in selinuxfs.c

[Stephen Smalley]

On Tue, 2007-03-20 at 16:57 +0000, JanuGerman wrote:
> Hi Stephen,
> > Perhaps an example would make things clearer. 
> > During open(2)
> > processing, the fs/namei.c:permission() function is
> > called to check
> > permissions.  That function first applies the usual
> > Linux checks,
> > including DAC checks, and, if they pass, the
> > function then calls the LSM
> > security_inode_permission() hook, which is defined
> > by
> > include/linux/security.h.  
> 
> Within the fs/namei.c, there are two functions defined
> for calling fs/namei.c:permission(), one is int
> vfs_permission(struct nameidata *nd, int mask) and the
> other is int file_permission(struct file *file, int
> mask).
> 
> My question is that, which of the above two functions
> is used to call fs/namei.c:permission() function in
> the Linux 2.6 kernel, and which way is followed by
> SELinux.

Read the code (including the comments), and all should be clear.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.