/proc Q

Stephen Smalley sds at tycho.nsa.gov
Mon Mar 7 17:55:25 UTC 2005

On Mon, 2005-03-07 at 18:59 +0100, Holger Burde wrote:
> Hi;
> Filesystems with no support for persistent labels have no context but i
> found coresponding type declarations (rawhide.strict: types/procfs.te or
> fc3:targeted types/procfs.te) and usage (domains/program zebra.te:allow
> zebra_t proc_t:file { getattr read };). Is this dummy stuff or have i
> missed something ??

They have labels (on the incore inodes), but they aren't visible to
userspace (due to lack of xattr handler for the filesystem).  But they
are still used for access control.  Assignment is done via
genfs_contexts in the policy for proc.

There has been discussion of a general switch in the VFS so that if the
filesystem doesn't support xattrs natively, it would call into the
security module (i.e. SELinux) instead, and let SELinux handle the
getxattr/setxattr requests based on the incore inode label.

Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency

More information about the fedora-selinux-list mailing list