Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > The cache files are created by the cachefiles kernel module, not by the > userspace daemon, and the userspace daemon doesn't need to directly > read/write them at all That is correct. > (but I think it does need to be able to unlink them?). Indeed. > The userspace daemon merely identifies the directory where the cache should > live as part of configuring the cache when enabling it. That is the way it currently works, yes. > Hence, it is fine to use a fixed label for the cache files (systemhigh > in a MLS world), and to let the directory's label serve as the basis for > it. That is what I currently do. SELinux rules are provided to grant the appropriate file accesses to the override label used by the kernel module, so that it can't go and stamp on files with the wrong label. > Only the cachefiles kernel module directly reads and writes the files. Correct. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
