fedora 2 - ls -Z for proc
Stephen Smalley
sds at epoch.ncsc.mil
Tue Jun 1 14:17:55 UTC 2004
On Tue, 2004-06-01 at 00:46, Pratik Mehta wrote:
> Hi,
>
> When i run on Fedora 2 ls --context or ls -Z for /proc i get:
> [root at localhost proc]# ls --context
> dr-xr-xr-x root root (null) 1
> dr-xr-xr-x root root (null) 10
> dr-xr-xr-x root root (null) 11
> dr-xr-xr-x root root (null) 116
>
> But as faye says in his documentation:
> Running ls --context /proc shows the following listing for the init
> process (with a process id of 1):
>
> dr-xr-xr-x root root system_u:system_r:init_t 1
>
>
> Why is this so ?????
Old SELinux API vs. new SELinux API. As part of getting SELinux into
the mainline kernel, we had to completely overhaul the SELinux API.
File contexts are now obtained via the underlying extended attribute
(xattr) API, which fetches the xattr value from the filesystem
implementation; in contrast, under the old API, the file context was
obtained from the SELinux code itself, which would simply map the
internal security identifier (SID) from the incore inode to a security
context and return that context. As a result, unless the filesystem
implementation exports xattr handlers, userspace cannot obtain the
security contexts on the files. We have implemented fake xattr handlers
for the devpts pseudo filesystem to support getting and setting security
contexts on ptys (e.g. for sshd), but didn't see it as necessary to do
so for proc. Instead, you can obtain the context of a given process via
/proc/pid/attr/current, e.g. cat /proc/1/attr/current will show you the
context of the init process (if you have permission to do so). Note
that libselinux exports a getpidcon() function for this purpose, which
is what you should use from any program that wants this information.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list