On Mon, 19 Nov 2007, Trond Myklebust wrote: > This proposal, OTOH, will force the server to track all clients that > access a labelled file, and to notify them all synchronously if ever a > change is made. That can never scale if, say, you want to relabel the > entire filesystem as SELinux appears wont to do. There are further requirements for conveying volatile security state between the peers, such as: the current security context of the client, and the client's current explicit label for new files (if present). A possible approach for dealing with all of these is to use a per-procedure OP which is prefixed in a similar manner to SEQUENCE, when security labeling is active. It may be possible to optimize this at the server so that an updated file security label (or ineed the entire security OP) is only sent if required. -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
