On Tue, 2008-03-04 at 16:10 -0800, Chris Wright wrote:
> * Dave Quigley (dpquigl@xxxxxxxxxxxxx) wrote:
> >
> > On Tue, 2008-03-04 at 15:52 -0800, Chris Wright wrote:
> > > * Dave Quigley (dpquigl@xxxxxxxxxxxxx) wrote:
> > > > The reason for the differentiation is that NFS inodes don't need their
> > > > on-disk representation set. Normally this would be taken care of with an
> > > > inode_getsecurity call but as you noted Casey objected to a hook to get
> > > > the suffix name. Also he did have a point in that the context may have
> > > > several components to it that could have multiple suffixes. So I need a
> > > > hook that allows us to set possibly multiple internal security values
> > > > based on a security context and without using an xattr name.
> > >
> > > Can you work on a couple things..first the fn name is not particularly
> > > helpful ({get,set}context are just vague), and second, the SELinux
> > > implementation is far too close to VFS code (you should not be manually
> > > calling fsnotify, for example). IOW, it looks more like a higher
> > > level helper.
> >
> > Is James' suggestion of getsecctx and setsecctx better or would you
> > prefer another name?
>
> Mainly capturing that it's doing this to a file not another object.
I can prefix it with inode so it would be inode_setsecctx and
inode_getsecctx.
>
> > The code for the selinux hook is taken from
> > vfs_setxattr. The issue is that we are going to be doing some VFSish
> > things in there. We are going to take a string and break it into zero or
> > more xattr calls (in SELinux's case it is only one). I guess we could
> > just set the xattr and then rely on the caller of this function to call
> > fsnotify.
>
> Yes, can we formalize this? the xattr_security code could be cleaned
> up if you need better helpers in VFS.
I'm not sure if its a question of better helpers. The code is pretty
simple. I think the question is who should be calling fsnotify.
>
> BTW, this is unnecessary after cut 'n paste:
>
Good point I'll remove it.
> + rc = -EOPNOTSUPP; <-- superfluous (and err works better for "if (!err)")
> + if (inode->i_op->setxattr) {
> + rc = inode->i_op->setxattr(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
> ...
> + } else {
> + rc = security_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx,
>
>
> thanks,
> -chris
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
