On 12/7/2010 9:34 AM, Stephen Smalley wrote: > On Tue, Dec 7, 2010 at 11:56 AM, Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >> Let's assume for the moment that no one has a significant objection >> to adding the component name to inode_init_security. I am not >> suggesting that what gets passed to inode_init_security is >> insufficiently general. I am asking if there are other hooks that >> also ought to have the component name as one of their parameters. >> Yes, I understand the concept of "if it ain't broke ...", and that >> may suffice at this point, and if not the fact that no one would be >> using the component name in those other hooks definitely would. I >> expect that when someone comes along with a new LSM that does access >> controls based on the final component* they aren't going to suffer >> unnecessary resistance from the SELinux community as they add the >> component name as a parameter to other hooks. >> >> ---- >> * For example, only files suffixed with ".exe" can be executed and >> only files suffixed with ".so" can be mmapped. > I think you can already achieve that via the pathname hooks, but if > not and you want it, go for it. Well there it is then. Sure, add the component to inode_init_security if no one on the filesystem end has an issue with it. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
