MCS -- some comments for discussion
James Morris
jmorris at namei.org
Mon Nov 7 01:04:17 UTC 2005
On Sun, 6 Nov 2005, Gene Czarcinski wrote:
> 2. As I see it, MCS is "simply" another type of ACL but one which (to me) is
> a better design (more useable) than the existing ACL capability. However,
> whereas I can categorize (protect) both files and directories with ACL, I can
> currently only categorize (protect) files (not directories) with MCS. I
> consider this to be a problem/deficiency.
>
> Consider that when I create new application files (e.g, with openoffice.org),
> they will not have a category assigned by default. This could leave a
> sensitive file available for others to access. With directory protection,
> this could be mitigated.
Yes, inheriting a directory's categories on file creation (only) is
something we'll probably investigate soon.
- James
--
James Morris
<jmorris at namei.org>
More information about the fedora-selinux-list
mailing list