On Oct 14, 2014 10:43 AM, "Stephen Smalley" <sds@xxxxxxxxxxxxx> wrote:
>
> On 10/14/2014 11:00 AM, William Roberts wrote:
> > Yeah looking at this statement doesn't really just allow for the use of
> > type_transition statements on that filesystem? It doesn't actually generate
> > labels, you still need the typetrans rule. It appears that the definition
> > is overreaching for its actual function and probably inferring something
> > from refpolicy.
>
> Each of the fs_use_* statements specifies how to determine the label for
> existing inodes in the filesystem. fs_use_xattr tells SELinux to fetch
> the inode label via ->getxattr(). fs_use_task tells SELinux to assign
> the inode the label of its creator. fs_use_trans tells SELinux to
> compute the inode label based on the result of security_transition_sid()
> on the creating process SID and the filesystem SID. What
> security_transition_sid() returns depends on whether or not you have a
> transition rule in policy. So fs_use_trans doesn't guarantee that you
> have a transition rule in place; it just allows you to use transition
> rules if you wish to label the inodes based on some combination of the
> creating process domain and the filesystem type.
>
>
OK that makes more sense to me than the other documents I read. Thanks.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
