My 2 cents on problems related to the policy language. [View from embedded system developer] Than might help to push SELinux into embedded Linux devices. Path based files labeling using genfscon is _very_ limited. That creates a lot of problems when non-xattr filesystems are used with genfscon even with a patch that allows file granularity for labeling (instead of filesystem granularity). Nature of the problem is: - non-xattr filesystems are mounted into different mounting points often; - directory names are same after mounting points, so it is hard to specify correct labeling; - read-only filesystems (usually non-xattr) often share same inode for files with the same contents. It is preferable to have simple "absolute path-based labeling" using genfscon (or new keyword, e.g. genapcon) regardless of filesystem. E.g.: genfscon /opt/app/myapp u:r:t --- "myapp" and everything "below" /opt/app/myapp will have u:r:t label Of cause, there are known security issues with such approach (links), but we can handle it. Tim -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
