On Wed, 25 May 2011, Sam Gandhi <samgandhi9@xxxxxxxxx> wrote: > I am working on a embedded platform and we have busybox on this device. > > What we would like to do do is assign diffrent labels to various > busybox links. What we have seen when running things on JFFS2 when I > label a symbolic link, the actual file gets the label, but the link > itself doesn't (according to ls -lZ output). We have seen similar > behaviour with files on tmpfs as well. SE Linux supports assigning a different label to the sym-link, but that only matters when access checks are performed for reading/following the sym-link. When it comes to actually running the program the link label means little. If you want to use labels to determine domain transitions then you can't use the sym-link label. You need to either have a wrapper program that is labeled to give the domain transition which then executes busybox, or to have several copies of busybox which aggregate only programs which deserve the same domain. http://doc.coker.com.au/papers/porting-se-linux-hand-held-devices/ You could probably benefit from some of the suggestions I made in the above paper. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
