On Thu, 2008-06-12 at 13:57 -0400, Christopher J. PeBenito wrote:
> On Thu, 2008-06-12 at 13:26 -0400, Eric Paris wrote:
> > Currently if a fs is mounted for which selinux policy does not define an
> > fs_use_* or a genfscon statement that FS will not support labeling of
> > any kind. This patch allows the kernel to check if the filesystem
> > supports security xattrs and if so will use those if there is no
> > fs_use_* rule in policy. An fstype with a genfs rule will use xattrs if
> > available and will follow the genfs rule if they are not.
>
> Let met verify what I think I read in the patch. The filesystem
> labeling behavior (filesystem class) is unchanged, right? i.e.
>
> 1. no fs_use + genfs + security xattr on fs = genfs type for fs
no. we set fs_sid = SECINITSID_FS and we use the labels in the xattr
> 2. no fs_use + no genfs + security xattr on fs = unlabeled isid for fs
fs_sid = SECINITSID_FS and we use the labeles in the xattrs
1st priority: fs_use_{xattr,transition,etc} wins
2nd priority: fs has xattr support wins (and we use xattrs)
3rd priority: genfscon statement wins
If there is a case where this is wrong I suggest we add a
fs_use_genfscon rule... But I don't think such a case exists today.
genfscon has always been a fallback, and now it just falls further back.
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
