On Tue, 2004-08-31 at 15:18, Luke Kenneth Casson Leighton wrote:
i think we need the input of more experienced people than us to
say why these associate things are needed.
It provides control over the set of files that can live in a given
filesystem, based on their security types (equivalence classes). As you
are now creating device types in a different filesystem type, further
allow rules are needed to allow that association.
a correct implementation of the
hacked-together-relaxed-fscontext-hooks.c-patch results in an atomic
operation (mount with a new context which would otherwise need to be
achieved with two commands: mount followed by restorecon)
The more important issue is that fscontext= lets you set the superblock
security context, not just the root directory context. restorecon can't
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency