Re: fs_use_trans - Stephen Smalley

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: fs_use_trans
Date: Tue, 14 Oct 2014 13:39:39 -0400	[thread overview]
Message-ID: <543D5FDB.7@tycho.nsa.gov> (raw)
In-Reply-To: <CAFftDdpSxAHnNKHG+TGVBdWz6uxt_RKeo_BMbQ5UtpB_Q=Bg1w@mail.gmail.com>

On 10/14/2014 11:00 AM, William Roberts wrote:
> Yeah looking at this statement doesn't really just allow for the use of
> type_transition statements on that filesystem? It doesn't actually generate
> labels, you still need the typetrans rule. It appears that the definition
> is overreaching for its actual function and probably inferring something
> from refpolicy.

Each of the fs_use_* statements specifies how to determine the label for
existing inodes in the filesystem.  fs_use_xattr tells SELinux to fetch
the inode label via ->getxattr().  fs_use_task tells SELinux to assign
the inode the label of its creator.  fs_use_trans tells SELinux to
compute the inode label based on the result of security_transition_sid()
on the creating process SID and the filesystem SID.  What
security_transition_sid() returns depends on whether or not you have a
transition rule in policy.  So fs_use_trans doesn't guarantee that you
have a transition rule in place; it just allows you to use transition
rules if you wish to label the inodes based on some combination of the
creating process domain and the filesystem type.

next prev parent reply	other threads:[~2014-10-14 17:39 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-10 23:05 fs_use_trans William Roberts
2014-10-14 14:44 ` fs_use_trans Stephen Smalley
2014-10-14 15:00   ` fs_use_trans William Roberts
2014-10-14 17:39     ` Stephen Smalley [this message]
2014-10-14 20:14       ` fs_use_trans William Roberts
2014-10-15 10:43       ` fs_use_trans Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=543D5FDB.7@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=bill.c.roberts@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.