On 08/12/2016 04:08 AM, Colin Powers wrote: > Thanks Stephen, that's really interesting. > > I can solve my problem another way using a userspace process, it will just be a bit less convenient than using mount. I have a security need to prevent a compromised network process from accessing other network interfaces. > > Is this scenario also true for other types of file shares that could be mounted, e.g. NFS, FTP (via curlftpfs)? Generally a socket is only created at mount time, and used for requests from all clients, so it would be true for other remote filesystems as well. In some cases, the socket may be created by userspace (e.g. likely the case for curlftpfs; might also be true for earlier versions of NFS where the MOUNT protocol was performed by userspace) and therefore be labeled with the context of the mounting process; in other cases, the socket may be created and kept private to the kernel, and is therefore labeled with the kernel context. Regardless, the socket context is not going to reflect the context of the individual clients and therefore won't help with this kind of access control. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
