--- David Howells <dhowells@xxxxxxxxxx> wrote: > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > The cache files are created by the cachefiles kernel module, not by the > > userspace daemon, and the userspace daemon doesn't need to directly > > read/write them at all > > That is correct. > > > (but I think it does need to be able to unlink them?). > > Indeed. > > > The userspace daemon merely identifies the directory where the cache should > > live as part of configuring the cache when enabling it. > > That is the way it currently works, yes. > > > Hence, it is fine to use a fixed label for the cache files (systemhigh > > in a MLS world), and to let the directory's label serve as the basis for > > it. > > That is what I currently do. SELinux rules are provided to grant the > appropriate file accesses to the override label used by the kernel module, so > that it can't go and stamp on files with the wrong label. > > > Only the cachefiles kernel module directly reads and writes the files. > > Correct. Well, my bad, and thank you for clearing up my misunderstanding. Casey Schaufler casey@xxxxxxxxxxxxxxxx -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
