Re: user guide drafts: Maintaining SELinux Labels

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Murray McAllister <mmcallis@redhat.com>
To: russell@coker.com.au
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: user guide drafts: Maintaining SELinux Labels
Date: Sun, 12 Oct 2008 09:44:13 +1000	[thread overview]
Message-ID: <48F13A4D.3040706@redhat.com> (raw)
In-Reply-To: <200810112217.15754.russell@coker.com.au>

Russell Coker wrote:
> On Saturday 11 October 2008 15:15, Murray McAllister <mmcallis@redhat.com> 
> wrote:
>> When files and directories are copied, the SELinux context of the new
>> file or directory depends on the context of the creating process, and
>> the context of the target, parent directory: the type is inherited from
>> the target, parent directory (unless a type transition rule exists[1]);
>> the SELinux user identity and level are inherited from the creating
>> process; and the role is always object_r, which is a generic role for
>> files. This helps ensure files and directories are labeled with the
>> correct SELinux context after being copied.
> 
> I'm not sure how the last sentence is supposed to link with the rest - it 
> certainly doesn't correspond to the second-last sentence.
That was from the old, wrong text. I moved it around a little:

When files and directories are copied, the SELinux context of the new 
file or directory depends on the context of the creating process, and 
the context of the target, parent directory. This helps ensure files and 
directories are labeled with the correct SELinux context after being 
copied. When files and directories are copied, the type is inherited...
> 
> object_r is for future support and also to give a regular format of the 
> context for all operations.  Note that files under /proc that relate to 
> processes have different roles.
I could only find the system_r and object_r roles in /proc/. Are there 
any others? /proc/pid/* seem to only use system_r (I did not check 
everything).

How about:

object_r is a generic role for used most files. Under the /proc/ 
directory, files relating to processes may use the system_r role.

Thanks again for your help.
> 
>> Also, when a file is copied over an existing file, the existing file's
>> context is maintained, unless the user specified cp options to preserve
>> the context of the original file, such as --preserve=context.
> 
> Also the -Z option to cp deserves a mention.
> 
>> #Is the following required, or is it covered by the above:
>>
>> On systems running the MLS policy, when files and directories are
>> copied, they inherit the type from the parent directory they are being
>> copied to, and the level from the process that copied them.
> 
> Probably.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2008-10-11 23:44 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <737og9$5vh3i@dmzms99902.na.baesystems.com>
2008-10-09  0:26 ` user guide drafts: Maintaining SELinux Labels Murray McAllister
2008-10-10 12:55   ` Stephen Smalley
2008-10-11  4:15     ` Murray McAllister
2008-10-11 11:17       ` Russell Coker
2008-10-11 23:44         ` Murray McAllister [this message]
2008-10-12  2:02           ` Russell Coker
2008-10-14 14:18           ` Stephen Smalley
2008-10-14 19:46             ` Russell Coker
2008-10-14 19:53               ` Stephen Smalley
2008-10-12  6:18         ` Murray McAllister
2008-10-14 14:15       ` Stephen Smalley
2008-10-15  1:30         ` Murray McAllister
2008-10-15 12:45           ` Stephen Smalley
2008-10-08 17:05 Clarkson, Mike R (US SSA)
  -- strict thread matches above, loose matches on Subject: below --
2008-10-08  2:45 Murray McAllister
2008-10-08 14:54 ` Daniel J Walsh
2008-10-08 15:46   ` Glenn Faden

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48F13A4D.3040706@redhat.com \
    --to=mmcallis@redhat.com \
    --cc=russell@coker.com.au \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.