On Wed, Apr 23, 2003 at 03:17:57PM -0400, Stephen Smalley wrote: > On Wed, 2003-04-23 at 14:45, Christoph Hellwig wrote: > > Randomly userland shouldn't deal with these xattrs. Remember you are > > talking about the ondisk represenation of your labelling - nothing > > but the labelling tools should ever touch it. > > Not true. ls should be able to display the security label. find should > be able to locate files that have specific security labels. cp should > be able to preserve the security label on copies. logrotate should be > able to preserve the security label when rotating logs. crond should be > able to check the security label on a crontab spool file to verify > consistency with the user's credentials with which the cron job will > run. login/sshd need to set the security label on the user's terminal > device. You'll find plenty of examples of patched userland in SELinux, > but none of these patches are specific to a particular set of security > attributes. They just handle them as strings. And all these should _not_ happen in the actual tools but in a pluggable security module (something like pam). Encoding any security policy and especially a xattr name in those utils is bad. And see, you start to contradict what you said before - with your suggestion cron has to know what the label means, so your selinux cron would do stupid things with say may Posix 1003.1e MAC filesystem. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 12:26:31 PDT