Hello Russell, On Tue, May 24, 2011 at 3:53 PM, Russell Coker <russell@xxxxxxxxxxxx> wrote: > On Wed, 25 May 2011, Sam Gandhi <samgandhi9@xxxxxxxxx> wrote: >> I am working on a embedded platform and we have busybox on this device. >> >> What we would like to do do is assign diffrent labels to various >> busybox links. What we have seen when running things on JFFS2 when I >> label a symbolic link, the actual file gets the label, but the link >> itself doesn't (according to ls -lZ output). We have seen similar >> behaviour with files on tmpfs as well. > > SE Linux supports assigning a different label to the sym-link, but that only > matters when access checks are performed for reading/following the sym-link. > When it comes to actually running the program the link label means little. > > If you want to use labels to determine domain transitions then you can't use > the sym-link label. You need to either have a wrapper program that is labeled > to give the domain transition which then executes busybox, or to have several > copies of busybox which aggregate only programs which deserve the same domain. > > http://doc.coker.com.au/papers/porting-se-linux-hand-held-devices/ That is fantastic! What is described in your paper is, exactly what I was looking to do. Thank you SO much. -Sam -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
