* Casey Schaufler (casey@xxxxxxxxxxxxxxxx) wrote: > > > So this is a way for filesystem code to pass information to an LSM > > > without specifying semantics. Is there an expectation that > > > inode_getsecctx return the value sent by inode_notifysecctx, or > > > would you expect the "notify" secctx to be stored elsewhere? > > > > The former (getsecctx should return the value sent by notifysecctx). > > Not a separate value. > > Now that took me by surprise. > > I spent a good deal of time working with POSIX, so my perspective > may be a bit twisted, but I looks to me that from an interface > standpoint, inode_setsecctx and inode_notifysecctx are > indistinguishable. How would the man pages for the two differ? > Would you ever use both interfaces on the same inode? Assuming a simple model (no time of day magic or composite labels) they differ by calling ->setxattr so that the fs actually puts bit on persitent storage (may not be disk for ram backed fs). The callers are from the kernel (you don't have to worry about that) and the implementation is simply update your blob or update your blob and tell fs to update as well. thanks, -chris -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
