> With the way that SE Linux works you can't stop readdir() from showing the > name of a file or directory if the parent directory is readable. Does this > come from SE Linux or LSM? Neither the original SELinux kernel patch nor the LSM patch provide any mechanism for hiding file names. See http://marc.theaimsgroup.com/?l=selinux&m=102008720729091&w=2. DTOS, a predecessor of SELinux, did protect file names based on the file's security attributes, but the result wasn't very satisfying. In order to control name visibility, and permitted multiple files to exist with the same name as long as they differed in security context (transparent name extension). That yielded rather interesting semantics and wasn't worth the overhead. > Isn't the name of a directory entry more important than the type of object it > is? Shrug. The name is part of the directory's state, not the inode's state. Hence, names are protected (both in ordinary Linux and SELinux) based on the directory's security attributes. In cases where you truly need to be concerned about hiding names (e.g. shared directories like /tmp), you really want a mechanism like partitioned/polyinstantiated directories (aka multi-level directories for MLS) or preferably a security union directory mechanism that provides a unified view of the partitioned directory to each process based on its security attributes. -- Stephen Smalley, NSA sdsat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 06:38:32 PST