selinux + livecd-creator, May 20, 2008

Stephen Smalley sds at
Tue May 20 19:52:27 UTC 2008

On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
> On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> > ***restorecon:
> > do we have an interface to see what is actually in security.xattr?
> No - because we don't have separate interfaces for getting/setting MAC
> labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
> a first class construct and xattrs are just a storage mechanism that may
> or may not be used by the MAC module).
> We had talked about the possibility of allowing processes with
> CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
> contexts thread on selinux list.  But see my comments there.

In particular, see:

It is possible, but we have to figure out how we want to handle it; we
don't want every getxattr call to trigger a full capable() check along
with auditing.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list