On Tue, 2004-08-31 at 15:18, Luke Kenneth Casson Leighton wrote: > i think we need the input of more experienced people than us to > say why these associate things are needed. It provides control over the set of files that can live in a given filesystem, based on their security types (equivalence classes). As you are now creating device types in a different filesystem type, further allow rules are needed to allow that association. > a correct implementation of the > hacked-together-relaxed-fscontext-hooks.c-patch results in an atomic > operation (mount with a new context which would otherwise need to be > achieved with two commands: mount followed by restorecon) The more important issue is that fscontext= lets you set the superblock security context, not just the root directory context. restorecon can't do that. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
