On Tue, Oct 14, 2014 at 01:39:39PM -0400, Stephen Smalley wrote: > On 10/14/2014 11:00 AM, William Roberts wrote: > > Yeah looking at this statement doesn't really just allow for the use of > > type_transition statements on that filesystem? It doesn't actually generate > > labels, you still need the typetrans rule. It appears that the definition > > is overreaching for its actual function and probably inferring something > > from refpolicy. > > Each of the fs_use_* statements specifies how to determine the label for > existing inodes in the filesystem. fs_use_xattr tells SELinux to fetch > the inode label via ->getxattr(). fs_use_task tells SELinux to assign > the inode the label of its creator. fs_use_trans tells SELinux to > compute the inode label based on the result of security_transition_sid() > on the creating process SID and the filesystem SID. What > security_transition_sid() returns depends on whether or not you have a > transition rule in policy. So fs_use_trans doesn't guarantee that you > have a transition rule in place; it just allows you to use transition > rules if you wish to label the inodes based on some combination of the > creating process domain and the filesystem type. > In light of the above, in what category do you think the following file systems would fall (if any): aio, drm, anon_inodefs, bdev, efivarfs I currently use genfscon for all of the above but i suspect that this is wrong for the above They are initialized but do not show up in the mount table -- Dominick Grift
Attachment:
pgpEA30gGsVbu.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
