On Tue, May 12, 2009 at 06:47:04PM -0700, Casey Schaufler wrote: > Joel Becker wrote: > > Oh, absolutely. > > As an aside, do inodes ever have more than one security.* > > attribute? > > ACLs, capability sets and Smack labels can all exist on a file at > the same time. I know of at least one effort underway to create a > multiple-label LSM. So ACLs and cap sets live under security.*? That's good. > > Would my (existing) inode then have > > security.smack and security.selinux attributes? > > > > Yup. It happens all the time. Whenever someone converts a Fedora > system to Smack they end up with a filesystem full of unused selinux > labels. It does no harm. At that runtime, sure. But with reflink(), we may be reflinking someone else's inode, and if we have to drop its security state, we should clean the unused labels just in case they go back to selinux (or back to smack, etc). But if they are all under security.*, it's easy to do. Thanks! Joel -- Life's Little Instruction Book #173 "Be kinder than necessary." Joel Becker Principal Software Developer Oracle E-mail: joel.becker@xxxxxxxxxx Phone: (650) 506-8127 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
