New file getting different context than what restorecond specifies
Bruno Wolff III
bruno at wolff.to
Mon Jan 31 17:56:39 UTC 2011
On Mon, Jan 31, 2011 at 18:19:12 +0100,
Luis Fernando Muñoz Mejías <Luis.Fernando.Munoz.Mejias at cern.ch> wrote:
>
> What I expect from reading a policy is this: if a process context is
> allowed to create in a directory, new files should have the context the
> policy specifies, so that SELinux-unaware code (f.i, automatic config
> generators) doesn't break.
The issue is that the file context list used by restorecon isn't really
integrated into the rest of policy. Doing the look up when doing all
file creations would be very expensive. So the only information currently
used at creation time is the context of the directory the file is being
created in, the context of the process doing the creation and the type (char,
block, dir, etc.) of object being created.
However down the road the final part of of the pathname may become usable
which would help in cases like this. See:
http://lwn.net/Articles/419161/
More information about the selinux
mailing list