libselinux question for httpd
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 3 15:43:02 UTC 2005
On Thu, 2005-11-03 at 10:45 -0500, Ivan Gyurdiev wrote:
> Stephen Smalley wrote:
> Naturally,
> > you can extract the string from the structure, so one could have then
> > replaced all direct uses of the string with the struct, but I don't
> > think that would be optimal; plenty of applications only want to deal
> > with the string. ls -Z, ps -Z, mkdir -Z, ...
> >
> So, there should be convert functions to go from one to the other, and the
> library interfaces should work with the opaque structure, not with the
> string.
I don't think so. Consider: today, ls can call getfilecon(), which
internally performs a getxattr(), which returns the string stored in the
attribute value, and returns it back to ls for display to the user. Why
force that process to go through an extra conversion to struct and back
for no reason?
> Anyway, I'm not volunteering to do this right now - just making some
> observations.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list