Re: chcon

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1378 bytes --]

Stephen Smalley wrote:

>On Tue, 2003-10-21 at 09:27, Russell Coker wrote:
>  
>
>>Steve, chcon needs access to /selinux/context, is there any problem in putting 
>>in a macro such as the following and using it for all user domains?
>>
>>define(`can_check_context', `
>>allow $1 security_t:dir search;
>>allow $1 security_t:file { read write };
>>allow $1 security_t:security { check_context };
>>')
>>    
>>
>
>This is a recent change to chcon in Dan's SRPM; doesn't exist in the
>coreutil-selinux patch from the last release. It isn't truly necessary,
>as the context will be checked when it is passed to the kernel via
>setfilecon and that call will fail if the context is invalid, so it is
>only useful if there is some benefit to catching such errors earlier.
>
>Even if it is worth retaining in chcon, I would suggest distinguishing
>between an errno of ENOENT and an errno of EINVAL, as the former may
>just indicate that selinuxfs wasn't mounted or the kernel was a
>non-SELinux kernel (but could still have the xattr handlers), and
>letting the chcon proceed in the former case.  Otherwise, you won't be
>able to use chcon if selinuxfs is unmounted or using a non-SELinux
>kernel that has the xattr handlers.  I should likely make the same
>change to setfiles.
>
>  
>
I have put out a new patch that does not do this anymore.  It has a 
simpler error mechanism.

Dan

[-- Attachment #2: Type: text/html, Size: 1807 bytes --]