On Mon, Jan 31, 2011 at 18:19:12 +0100, Luis Fernando Muñoz Mejías <Luis.Fernando.Munoz.Mejias@xxxxxxx> wrote: > > What I expect from reading a policy is this: if a process context is > allowed to create in a directory, new files should have the context the > policy specifies, so that SELinux-unaware code (f.i, automatic config > generators) doesn't break. The issue is that the file context list used by restorecon isn't really integrated into the rest of policy. Doing the look up when doing all file creations would be very expensive. So the only information currently used at creation time is the context of the directory the file is being created in, the context of the process doing the creation and the type (char, block, dir, etc.) of object being created. However down the road the final part of of the pathname may become usable which would help in cases like this. See: http://lwn.net/Articles/419161/ -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
