On Tue, 2004-06-01 at 00:46, Pratik Mehta wrote: > Hi, > > When i run on Fedora 2 ls --context or ls -Z for /proc i get: > [root@localhost proc]# ls --context > dr-xr-xr-x root root (null) 1 > dr-xr-xr-x root root (null) 10 > dr-xr-xr-x root root (null) 11 > dr-xr-xr-x root root (null) 116 > > But as faye says in his documentation: > Running ls --context /proc shows the following listing for the init > process (with a process id of 1): > > dr-xr-xr-x root root system_u:system_r:init_t 1 > > > Why is this so ????? Old SELinux API vs. new SELinux API. As part of getting SELinux into the mainline kernel, we had to completely overhaul the SELinux API. File contexts are now obtained via the underlying extended attribute (xattr) API, which fetches the xattr value from the filesystem implementation; in contrast, under the old API, the file context was obtained from the SELinux code itself, which would simply map the internal security identifier (SID) from the incore inode to a security context and return that context. As a result, unless the filesystem implementation exports xattr handlers, userspace cannot obtain the security contexts on the files. We have implemented fake xattr handlers for the devpts pseudo filesystem to support getting and setting security contexts on ptys (e.g. for sshd), but didn't see it as necessary to do so for proc. Instead, you can obtain the context of a given process via /proc/pid/attr/current, e.g. cat /proc/1/attr/current will show you the context of the init process (if you have permission to do so). Note that libselinux exports a getpidcon() function for this purpose, which is what you should use from any program that wants this information. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
