On Mon, 2005-03-28 at 10:05 -0500, Ivan Gyurdiev wrote: > .. so what you're saying is that nautilus (running as user_t, which has > read access to the file in question, as well as appropriate relabel > access), should determine its mime type, or use the DND target app, and > associate a context with that, which the mime handler can play, then > relabel file to that context (can't copy - what if it's huge?).... and > do this for every mime handler I attempt to open it with? Seems fairly pointless to perform such a relabeling if the context determination is based entirely on untrusted input from the same source as the data itself and the user isn't involved to any greater degree than selecting the file in the first place. If you are going to run it through a filtering pipeline (e.g. malicious code checker), then it makes more sense to set up a relabeling or data copying pipeline using TE to ensure that each filter stage is unbypassable and tamperproof (i.e. an assured pipeline in TE parlance). Note however that relabeling in place is not necessarily safe, as Linux does not yet fully support revocation of access. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
