On Sunday 06 November 2005 20:04, James Morris wrote: > On Sun, 6 Nov 2005, Gene Czarcinski wrote: > > 2. As I see it, MCS is "simply" another type of ACL but one which (to > > me) is a better design (more useable) than the existing ACL capability. > > However, whereas I can categorize (protect) both files and directories > > with ACL, I can currently only categorize (protect) files (not > > directories) with MCS. I consider this to be a problem/deficiency. > > > > Consider that when I create new application files (e.g, with > > openoffice.org), they will not have a category assigned by default. This > > could leave a sensitive file available for others to access. With > > directory protection, this could be mitigated. > > Yes, inheriting a directory's categories on file creation (only) is > something we'll probably investigate soon. I am not sure that "inheriting a directory's categories on file creation (only)" is the right answer (although it is one I could live with). I can envision a situation where the files under a directory would be a mix of categories. My point is that if a directory is categorized, then I should not be able to see the files under that directory unless I was authorized for that category. BTW, one "little" annoyance that I forgot to mention. If I have a file categorized s0:moonbean and then I copy it with "cp -p", the copied file has default categorization -- s0:. That is, the security attributes are not preserved. While I can get them preserved if I use "cp --preserve=all", I believe that this should be the default if I specify "-p". Gene -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
