On 10/14/2014 11:00 AM, William Roberts wrote: > Yeah looking at this statement doesn't really just allow for the use of > type_transition statements on that filesystem? It doesn't actually generate > labels, you still need the typetrans rule. It appears that the definition > is overreaching for its actual function and probably inferring something > from refpolicy. Each of the fs_use_* statements specifies how to determine the label for existing inodes in the filesystem. fs_use_xattr tells SELinux to fetch the inode label via ->getxattr(). fs_use_task tells SELinux to assign the inode the label of its creator. fs_use_trans tells SELinux to compute the inode label based on the result of security_transition_sid() on the creating process SID and the filesystem SID. What security_transition_sid() returns depends on whether or not you have a transition rule in policy. So fs_use_trans doesn't guarantee that you have a transition rule in place; it just allows you to use transition rules if you wish to label the inodes based on some combination of the creating process domain and the filesystem type. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
