Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: > What sort of authorization are you thinking of? I would expect > that to have been done by cachefileselinuxcontext (or > cachefilesspiffylsmcontext) up in userspace. If you're going to > rely on userspace applications for policy enforcement they need > to be good enough to count on after all. It can't be done in userspace, otherwise someone using the cachefilesd interface can pass an arbitrary context up. The security context has to be passed across the file descriptor attached to /dev/cachefiles along with the other configuration parameters as a text string. This fd selects the particular cache context that a particular instance of a running daemon is using. David -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
