Russell Coker wrote:
On Saturday 11 October 2008 15:15, Murray McAllister <mmcallis@xxxxxxxxxx>
wrote:
When files and directories are copied, the SELinux context of the new
file or directory depends on the context of the creating process, and
the context of the target, parent directory: the type is inherited from
the target, parent directory (unless a type transition rule exists[1]);
the SELinux user identity and level are inherited from the creating
process; and the role is always object_r, which is a generic role for
files. This helps ensure files and directories are labeled with the
correct SELinux context after being copied.
I'm not sure how the last sentence is supposed to link with the rest - it
certainly doesn't correspond to the second-last sentence.
That was from the old, wrong text. I moved it around a little:
When files and directories are copied, the SELinux context of the new
file or directory depends on the context of the creating process, and
the context of the target, parent directory. This helps ensure files and
directories are labeled with the correct SELinux context after being
copied. When files and directories are copied, the type is inherited...
object_r is for future support and also to give a regular format of the
context for all operations. Note that files under /proc that relate to
processes have different roles.
I could only find the system_r and object_r roles in /proc/. Are there
any others? /proc/pid/* seem to only use system_r (I did not check
everything).
How about:
object_r is a generic role for used most files. Under the /proc/
directory, files relating to processes may use the system_r role.
Thanks again for your help.
Also, when a file is copied over an existing file, the existing file's
context is maintained, unless the user specified cp options to preserve
the context of the original file, such as --preserve=context.
Also the -Z option to cp deserves a mention.
#Is the following required, or is it covered by the above:
On systems running the MLS policy, when files and directories are
copied, they inherit the type from the parent directory they are being
copied to, and the level from the process that copied them.
Probably.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
