On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote: > On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote: > > ***restorecon: > > do we have an interface to see what is actually in security.xattr? > > No - because we don't have separate interfaces for getting/setting MAC > labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are > a first class construct and xattrs are just a storage mechanism that may > or may not be used by the MAC module). > > We had talked about the possibility of allowing processes with > CAP_MAC_ADMIN to get the raw context via getxattr in the deferred > contexts thread on selinux list. But see my comments there. In particular, see: http://marc.info/?l=selinux&m=121016477203440&w=2 http://marc.info/?l=selinux&m=121016814610025&w=2 http://marc.info/?l=selinux&m=121017332919586&w=2 It is possible, but we have to figure out how we want to handle it; we don't want every getxattr call to trigger a full capable() check along with auditing. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
