Stephen Smalley wrote: > SELinux isn't name-based. This is not so much about names but about relationship to the parent container. I don't care if the file is called foo or bar, but if its parent dir has foo_t or bar_t context. There already is some coupling between the file and its directory. For example, to actually do the rename you need file as well as directory permissions. So in that regard, why an additional type transition in that operation would be harmful? > rename() doesn't change your file mode or ACLs either. Yes, that's why I said it's an old problem. I hoped that someone would have solved it in a systemic way. Daniel J Walsh wrote: > Just need to walk the tree adding watches for ever directory and any > time a a new directory shows up you would add it to the watch list. > I am not sure how much inotify can handle. We might get in trouble > with the amount of resoures used. See the -r in man inotifywait (http://linux.die.net/man/1/inotifywait). Actually you can use that tool and restorecon in a simple shell script to make a restorecond of your own. But having this in hand, you don't need neither inheritance nor type transitions for files. You could just make any new file with default_t and wait until restorecon labels it. Michal Svoboda
Attachment:
pgpLN4UrrjxwG.pgp
Description: PGP signature
