Re: justifying --context=CTX (-Z) for upstream coreutils, like mkdir

[Jim Meyering <jim@meyering.net>]

Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2006-08-14 at 19:18 +0200, Jim Meyering wrote:
>> I agree that it's not a trivial way to use programs, but isn't the
>> scenario that'd require such usage a little bit off the beaten track?
>
> I'm not sure that this is a valid assumption.  It might be educational
> (or perhaps not) to take your proposal to fedora-selinux-list, and seek
> feedback there, as I think they have a much larger subscriber base and

As you've probably noticed, I posted to the lists, as you suggested:
  https://www.redhat.com/archives/fedora-list/2006-August/msg02264.html (long)

I suppose it's still early, but so far, all I have is positive feedback:

  http://lists.gnu.org/archive/html/bug-coreutils/2006-08/msg00147.html

Support (and even rebuttal) welcomed.
Even silence is ok, as long as it implies consent :)

> have people who are more representative of ordinary users.  Or even
> fedora-list itself, as plenty of people are using Fedora w/SELinux
> without even subscribing to any of the SELinux-specific lists.
>
>> But of course, my whole scenario depends on SELinux
>> making it possible to write a program like fscon.
>
> I'm not convinced that even if SELinux supported such a program that it
> should replace the -Z options in coreutils.  I'd see that more as a way
> of applying SELinux to the much larger set of utils, particularly third
> party ones, that are truly not feasible for us to patch.

FYI, I learned of another tool, like the proposed fscon, that performs a
kernel state change just before exec'ing some other program: setarch(8):

  $ man setarch
  SETARCH(8)                 Linux Programmer's Manual                SETARCH(8)

  NAME
         setarch - change reported architecture in new program environment
         and set personality flags

  SYNOPSIS
         setarch <arch> [options] [program [arguments]]

         arch [options] [program [arguments]]

  DESCRIPTION
         setarch This utility currently only affects the output  of  uname
         -m.  For  example, on an AMD64 system, running 'setarch i386 pro-
         gram' will cause 'program' to see i686 (or other  relevant  arch)
         instead  of x86_64 as machine type. It also allows to set various
         personality options.
  ...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.