[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: selinux + livecd-creator, May 20, 2008

From: Stephen Smalley <sds tycho nsa gov>
To: Eric Paris <eparis redhat com>
Cc: dwalsh redhat com, fedora-selinux-list redhat com
Subject: Re: selinux + livecd-creator, May 20, 2008
Date: Tue, 20 May 2008 15:52:27 -0400

On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > ***restorecon:
> > do we have an interface to see what is actually in security.xattr?
> 
> No - because we don't have separate interfaces for getting/setting MAC
> labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
> a first class construct and xattrs are just a storage mechanism that may
> or may not be used by the MAC module).
> 
> We had talked about the possibility of allowing processes with
> CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
> contexts thread on selinux list.  But see my comments there.

In particular, see:
http://marc.info/?l=selinux&m=121016477203440&w=2
http://marc.info/?l=selinux&m=121016814610025&w=2
http://marc.info/?l=selinux&m=121017332919586&w=2

It is possible, but we have to figure out how we want to handle it; we
don't want every getxattr call to trigger a full capable() check along
with auditing.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: selinux + livecd-creator, May 20, 2008
  - From: Stephen Smalley

References:
- selinux + livecd-creator, May 20, 2008
  - From: Eric Paris
- Re: selinux + livecd-creator, May 20, 2008
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]