On Mon, 2005-03-28 at 11:04 +0100, Luke Kenneth Casson Leighton wrote: > On Sun, Mar 27, 2005 at 11:57:35PM -0500, Ivan Gyurdiev wrote: > > > There can't be more than one file_type_auto_trans on the same folder > > type (right?). > > bizarrely, no. > > i believe this issue was raised some months ago, with the > "alternative file context" thing. > > if file_type_auto_trans also took an executable [domain] as an > additional argument, i believe you stand a chance of achieving > what you seek. file_type_auto_trans() is based on the domain of the creating process, the type of the parent directory, and optionally the class of the new file. Hence, you can specify different types on the same "folder" type as long as the programs run in different domains. If instead both programs run in the same domain and are acting on the same directory type and creating the same class of file, you have to make the program security-aware if you want to use multiple types on the files (or similarly, if you have a single program that creates multiple files in the same directory and you want them to have different types, the program needs to be security-aware, as with the /etc/passwd and /etc/shadow type preservation issue). -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
