> > label. Is attaching a tree to the namespace something that needs to be > > mediated, or simply recorded? > > > > Anyone using a security policy that derives inode security > information from the namespace needs to follow additions and removals > in the namespace, not just references to superblocks. > We do it that way for one. He's not asking whether we want record, but whether we are willing *only* to record, and not mediate. If we only record, DTE can no longer say "this fs can't be mounted under this pathname." But it does make for a far cleaner patch, and I can still intercept the attach in order to pretend it was mounted elsewhere. So, given how much cleaner Chris' patch is, I'd say simply recording is the better way to go. Unless someone else needs to mediate? -serge _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 01:29:23 PDT