On 02/29/2016 02:14 PM, Dominick Grift wrote:
I encountered this today and it got me thinking. Should this be happenin g?
Yes.
I would think that a auto type transition rule should always take precedence, and that setfscreatecon should only be honored if there is nothing in policy overriding it.
No. The type_transition rules are merely defaults to provide compatibility with a non-security-aware userspace. setfscreatecon() intentionally permits overriding type transition or default inheritance rules. Of course, one can only use setfscreatecon() if one has the requisite permissions, including setfscreate to even use it at all, plus create to the specified type. However, in Android, the usage permissions like setfscreate are tightly locked down; only a few domains are allowed them.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
