Yeah looking at this statement doesn't really just allow for the use of type_transition statements on that filesystem? It doesn't actually generate labels, you still need the typetrans rule. It appears that the definition is overreaching for its actual function and probably inferring something from refpolicy.
On Oct 14, 2014 7:48 AM, "Stephen Smalley" <sds@xxxxxxxxxxxxx> wrote:
On 10/10/2014 07:05 PM, William Roberts wrote:
> The docs for fs_use_trans state:
>
> The fs_use_trans statement is used to allocate a security context to
> pseudo filesystems such as pseudo terminals and temporary objects. The
> assigned context is derived from the creating process and that of the
> filesystem type based on transition rules.
>
>
> Can someone give me an example? For instance if I had:
>
> fs_use_trans devpts u:object_r:devpts:s0;
>
> and a daemon running with context:
> u:r:init:s0
>
> and it creates something on the devpts, what is the resulting context
> of the object?
It depends on whether you have a type_transition rule defined in policy.
For example, in the Android policy, we have the create_pty() macro
defined in te_macros, and if you had create_pty(init) in your policy,
then it would set up a type transition so that any pty created by init
would be labeled with a init_devpts type rather than just devpts.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
