On Tue, 2008-05-20 at 15:33 -0400, Stephen Smalley wrote:
On Tue, 2008-05-20 at 15:12 -0400, Eric Paris wrote:
> ***restorecon:
> do we have an interface to see what is actually in security.xattr?
No - because we don't have separate interfaces for getting/setting MAC
labels vs. getting/setting xattrs, unlike FreeBSD (where MAC labels are
a first class construct and xattrs are just a storage mechanism that may
or may not be used by the MAC module).
We had talked about the possibility of allowing processes with
CAP_MAC_ADMIN to get the raw context via getxattr in the deferred
contexts thread on selinux list. But see my comments there.
In particular, see:
http://marc.info/?l=selinux&m=121016477203440&w=2
http://marc.info/?l=selinux&m=121016814610025&w=2
http://marc.info/?l=selinux&m=121017332919586&w=2
It is possible, but we have to figure out how we want to handle it; we
don't want every getxattr call to trigger a full capable() check along
with auditing.
--
Stephen Smalley
National Security Agency