selinux + livecd-creator, May 20, 2008
Stephen Smalley
sds at tycho.nsa.gov
Tue May 20 19:52:27 UTC 2008
On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > ***restorecon:
> > do we have an interface to see what is actually in security.xattr?
>
> No - because we don't have separate interfaces for getting/setting MAC
> labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
> a first class construct and xattrs are just a storage mechanism that may
> or may not be used by the MAC module).
>
> We had talked about the possibility of allowing processes with
> CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
> contexts thread on selinux list. But see my comments there.
In particular, see:
http://marc.info/?l=selinux&m=121016477203440&w=2
http://marc.info/?l=selinux&m=121016814610025&w=2
http://marc.info/?l=selinux&m=121017332919586&w=2
It is possible, but we have to figure out how we want to handle it; we
don't want every getxattr call to trigger a full capable() check along
with auditing.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list