On Mon, 2 Jul 2001, Serge E. Hallyn wrote: > > Furthermore, it would be interesting to see if we could push > > some of the other attach_pathlabel hook calls down to lower-level > > lookup hook calls (patterned after the i_op->lookup routine > > and called after successful calls to that routine), again > > with DTE being able to assign types merely based on the parent > > directory's inode security object and the relative name of > > the newly looked up entry. > > Not sure if I understand you correctly here, but if all i have is the > inode and relative pathname (ie, inode for "/var/spool/mail", and > name "hallyn"), that is obviously insufficient, since that prevents > me assigning the same typename at points in otherwise distinct fs > subtrees. For instance, for whatever reason, I might have /var/spool/mail > and /usr/spool/mail as actually different directories, same security label, > but want to assign a different security label to "hallyn" under each. By the "parent directory's inode security object", I don't just mean the type on the parent directory. As each directory is looked up, you can set a field in its security object (in addition to its type) that refers to the corresponding entry in a hierarchical association database (HADB) generated from your type assignment rules. You can then perform a lookup relative to that entry using the relative name of the newly looked up entry to obtain its type. So /var/spool/mail and /usr/spool/mail would refer to different points in the HADB, and thus /var/spool/mail/hallyn and /usr/spool/mail/hallyn could have different types. You should be able to initialize the reference into the HADB for the root inode of each file system at mount time. Everything else can be performed using a parent directory and a relative name. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 03 2001 - 06:09:31 PDT