On Tue, 2005-01-04 at 10:21, Mike Hearn wrote: > A daemon that fixes contexts as files are added feels rather racy. I'm > sure I'm missing a lot of context from previous discussions on the matter > here, but perhaps the kernel should set the context automatically when a > new file is created in certain directories that are marked as "autofix". > > OK so then we have the problem that the context setting code is all done > in userspace with regexs and other un-kernely things. Maybe there needs to > be a framework in the kernel where a thread that does a file creation can > be suspended and the kernel invokes a user-space program with the file > path to figure out what the context should be. Once the process returns > with the answer the file can be atomically created/set and the original > thread resumes. To clarify, the file_contexts configuration is only really intended to initialize the security contexts for a filesystem at install-time. After that point, you shouldn't be setting file contexts based on pathnames, as they don't convey the desired information about the real security properties of the object. Instead, you want the file to be labeled based on the creating process domain and parent directory type (which is what the kernel does), and allow security-aware applications to further customize the context if necessary for finer-grained labeling (which is already supported via the libselinux API). Pathname-based security considered harmful. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency