Re: fs_use_trans - Stephen Smalley

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: William Roberts <bill.c.roberts@gmail.com>,
	"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: Re: fs_use_trans
Date: Tue, 14 Oct 2014 10:44:44 -0400	[thread overview]
Message-ID: <543D36DC.8060202@tycho.nsa.gov> (raw)
In-Reply-To: <CAFftDdrTMJrq5P=+vkJeQ612Ndr5G-_qc5Ve10k1F2KJfQpZGA@mail.gmail.com>

On 10/10/2014 07:05 PM, William Roberts wrote:
> The docs for fs_use_trans state:
> 
> The fs_use_trans statement is used to allocate a security context to
> pseudo filesystems such as pseudo terminals and temporary objects. The
> assigned context is derived from the creating process and that of the
> filesystem type based on transition rules.
> 
> 
> Can someone give me an example? For instance if I had:
> 
> fs_use_trans devpts u:object_r:devpts:s0;
> 
> and a daemon running with context:
> u:r:init:s0
> 
> and it creates something on the devpts, what is the resulting context
> of the object?

It depends on whether you have a type_transition rule defined in policy.
For example, in the Android policy, we have the create_pty() macro
defined in te_macros, and if you had create_pty(init) in your policy,
then it would set up a type transition so that any pty created by init
would be labeled with a init_devpts type rather than just devpts.

next prev parent reply	other threads:[~2014-10-14 14:44 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-10 23:05 fs_use_trans William Roberts
2014-10-14 14:44 ` Stephen Smalley [this message]
2014-10-14 15:00   ` fs_use_trans William Roberts
2014-10-14 17:39     ` fs_use_trans Stephen Smalley
2014-10-14 20:14       ` fs_use_trans William Roberts
2014-10-15 10:43       ` fs_use_trans Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=543D36DC.8060202@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=bill.c.roberts@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.