[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: fs_use_trans
From:       Dominick Grift <dac.override () gmail ! com>
Date:       2014-10-15 10:43:45
Message-ID: 20141015104342.GA961 () e145 ! network2
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Tue, Oct 14, 2014 at 01:39:39PM -0400, Stephen Smalley wrote:
> On 10/14/2014 11:00 AM, William Roberts wrote:
> > Yeah looking at this statement doesn't really just allow for the use of
> > type_transition statements on that filesystem? It doesn't actually generate
> > labels, you still need the typetrans rule. It appears that the definition
> > is overreaching for its actual function and probably inferring something
> > from refpolicy.
> 
> Each of the fs_use_* statements specifies how to determine the label for
> existing inodes in the filesystem.  fs_use_xattr tells SELinux to fetch
> the inode label via ->getxattr().  fs_use_task tells SELinux to assign
> the inode the label of its creator.  fs_use_trans tells SELinux to
> compute the inode label based on the result of security_transition_sid()
> on the creating process SID and the filesystem SID.  What
> security_transition_sid() returns depends on whether or not you have a
> transition rule in policy.  So fs_use_trans doesn't guarantee that you
> have a transition rule in place; it just allows you to use transition
> rules if you wish to label the inodes based on some combination of the
> creating process domain and the filesystem type.
> 

In light of the above, in what category do you think the following file systems would fall (if any):

aio, drm, anon_inodefs, bdev, efivarfs

I currently use genfscon for all of the above but i suspect that this is wrong for the above

They are initialized but do not show up in the mount table

-- 
Dominick Grift

[Attachment #5 (application/pgp-signature)]

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

[prev in list] [next in list] [prev in thread] [next in thread]