SELinux acl's options

SELinux acl's options

[Justin Mattock]

I've been freaking out for a few weeks at looking
at ls -Z and seeing a dot at the end of the permissions.
(then after gogling I found)
http://www.linux-archive.org/fedora-development/285498-dot-end-permissions-something-new.html

relieving me of thinking I have a hole in the ACL's.

Anyways how would one go about changing
the "." to a "+" at the end of the permission?

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux acl's options

[Dominick Grift]

On Sun, 2009-05-24 at 09:31 -0700, Justin Mattock wrote:
> I've been freaking out for a few weeks at looking
> at ls -Z and seeing a dot at the end of the permissions.
> (then after gogling I found)
> http://www.linux-archive.org/fedora-development/285498-dot-end-permissions-something-new.html
> 
> relieving me of thinking I have a hole in the ACL's.
> 
> Anyways how would one go about changing
> the "." to a "+" at the end of the permission?
> 

The dot in the end means there is also a SELinux context.
The plus in the end means there is also a ACL defined.

No dot and plus means only basic DAC permissions are defined.

I hope this clears things up for you:

[root@notebook2 /]# mkdir test
[root@notebook2 /]# ls -alZ / | grep test
drwxr-xr-x. root root dgrift:object_r:default_t:SystemLow test
[root@notebook2 /]# setfacl -m u:dgrift:r test
[root@notebook2 /]# ls -alZ / | grep test
drwxr-xr-x+ root root dgrift:object_r:default_t:SystemLow test
[root@notebook2 /]#


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux acl's options

[Justin Mattock]

On Sun, May 24, 2009 at 11:27 AM, Dominick Grift <domg472@gmail.com> wrote:
> On Sun, 2009-05-24 at 09:31 -0700, Justin Mattock wrote:
>> I've been freaking out for a few weeks at looking
>> at ls -Z and seeing a dot at the end of the permissions.
>> (then after gogling I found)
>> http://www.linux-archive.org/fedora-development/285498-dot-end-permissions-something-new.html
>>
>> relieving me of thinking I have a hole in the ACL's.
>>
>> Anyways how would one go about changing
>> the "." to a "+" at the end of the permission?
>>
>
> The dot in the end means there is also a SELinux context.
> The plus in the end means there is also a ACL defined.
>
> No dot and plus means only basic DAC permissions are defined.
>
> I hope this clears things up for you:
>
> [root@notebook2 /]# mkdir test
> [root@notebook2 /]# ls -alZ / | grep test
> drwxr-xr-x. root root dgrift:object_r:default_t:SystemLow test
> [root@notebook2 /]# setfacl -m u:dgrift:r test
> [root@notebook2 /]# ls -alZ / | grep test
> drwxr-xr-x+ root root dgrift:object_r:default_t:SystemLow test
> [root@notebook2 /]#
>
>

Thanks for the info.
So I take it somewhere
on  my system there an init script that's
setting the "."(dot)

What would be the preferred way to have this set?
(safest and/or securest)

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.