On Tue, 2008-03-04 at 15:52 -0800, Chris Wright wrote:
> * Dave Quigley (dpquigl@xxxxxxxxxxxxx) wrote:
> > The reason for the differentiation is that NFS inodes don't need their
> > on-disk representation set. Normally this would be taken care of with an
> > inode_getsecurity call but as you noted Casey objected to a hook to get
> > the suffix name. Also he did have a point in that the context may have
> > several components to it that could have multiple suffixes. So I need a
> > hook that allows us to set possibly multiple internal security values
> > based on a security context and without using an xattr name.
>
> Can you work on a couple things..first the fn name is not particularly
> helpful ({get,set}context are just vague), and second, the SELinux
> implementation is far too close to VFS code (you should not be manually
> calling fsnotify, for example). IOW, it looks more like a higher
> level helper.
Is James' suggestion of getsecctx and setsecctx better or would you
prefer another name? The code for the selinux hook is taken from
vfs_setxattr. The issue is that we are going to be doing some VFSish
things in there. We are going to take a string and break it into zero or
more xattr calls (in SELinux's case it is only one). I guess we could
just set the xattr and then rely on the caller of this function to call
fsnotify.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
