From: aranea@aixah.de (Luis Ressel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/3] Allow mount_t to follow mount_loopback_t symlinks
Date: Sat, 1 Feb 2014 12:53:16 +0100 [thread overview]
Message-ID: <20140201125316.384fce10@gentp.lnet> (raw)
In-Reply-To: <52EC69CF.3060408@tresys.com>
On Fri, 31 Jan 2014 22:28:15 -0500
"Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> We generally prefer not to specially label symlinks. They don't have
> the security properties of the object the point to, and the
> permissions are checked normally on the target.
My application case is that I'm mounting a regularily updated squashfs
image. The filename of this image includes a timestamp, so I'm using a
symlink; otherwise I'd have to update fstab each time the filename
changes.
I understand that labeling symlinks is uncommon, but in this particular
case it seems like the best solution.
The change clearly doesn't harm security, so I choose to push it
upstream. Perhaps others are also using this scheme, but I'm sure it's
not too common, so I'd also be okay with just applying this patch
locally.
--
Luis Ressel <aranea@aixah.de>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140201/52667ce1/attachment.bin
next prev parent reply other threads:[~2014-02-01 11:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-29 22:45 [refpolicy] Support loopback mounts Luis Ressel
2014-01-29 22:45 ` [refpolicy] [PATCH 1/3] Allow mount_t to follow mount_loopback_t symlinks Luis Ressel
2014-02-01 3:28 ` Christopher J. PeBenito
2014-02-01 11:53 ` Luis Ressel [this message]
2014-01-29 22:45 ` [refpolicy] [PATCH 2/3] Allow mount_t usage of /dev/loop-control Luis Ressel
2014-02-01 3:26 ` Christopher J. PeBenito
2014-01-29 22:45 ` [refpolicy] [PATCH 3/3] Grant kernel_t necessary permissions for loopback mounts Luis Ressel
2014-02-01 3:32 ` Christopher J. PeBenito
2014-02-01 13:14 ` Luis Ressel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140201125316.384fce10@gentp.lnet \
--to=aranea@aixah.de \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.