[idea] udev + selinux
Stephen Smalley
sds at epoch.ncsc.mil
Tue Aug 31 19:26:43 UTC 2004
On Tue, 2004-08-31 at 15:18, Luke Kenneth Casson Leighton wrote:
> i think we need the input of more experienced people than us to
> say why these associate things are needed.
It provides control over the set of files that can live in a given
filesystem, based on their security types (equivalence classes). As you
are now creating device types in a different filesystem type, further
allow rules are needed to allow that association.
> a correct implementation of the
> hacked-together-relaxed-fscontext-hooks.c-patch results in an atomic
> operation (mount with a new context which would otherwise need to be
> achieved with two commands: mount followed by restorecon)
The more important issue is that fscontext= lets you set the superblock
security context, not just the root directory context. restorecon can't
do that.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list