Daniel J Walsh wrote: > On 09/10/2009 11:19 AM, Stephen Smalley wrote: >> I think what is happening is this: gedit has been instrumented to >> preserve the security.selinux attribute on files. This works fine when >> SELinux is enabled, as SELinux applies a set of permission checks on >> setting its attributes and does not require a Linux capability / >> superuser access in doing so. But when SELinux is disabled, setting any >> attribute in the security.* namespace is restricted to CAP_SYS_ADMIN and >> thus non-root use of gedit will fail on the setxattr() call with EPERM. >> > I would say that gedit should check SELinux enfocing mode and if > disabled continue to work. > I would expect it to check errno when the call to setxattr fails. It can fail for other reasons then a SELinux error. From the setxattr man page: RETURN VALUE On success, zero is returned. On failure, -1 is returned and errno is set appropriately. If XATTR_CREATE is specified, and the attribute exists already, errno is set to EEXIST. If XATTR_REPLACE is specified, and the attribute does not exist, errno is set to ENOATTR. If there is insufficient space remaining to store the extended attribute, errno is set to either ENOSPC, or EDQUOT if quota enforcement was the cause. If extended attributes are not supported by the filesystem, or are disabled, errno is set to ENOTSUP. The errors documented for the stat(2) system call are also applicable here. So if errno is ENOTSUP, I would expect gedit to continue without generating an error. It should probably do the same for EEXIST and ENOATTR... Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines