On Tue, 04 Jan 2005 11:25:31 -0500, Stephen Smalley wrote:
I'm not in favor of the daemon idea. "install" is akin
to "rpm" in the
sense of installing a file, so it may make sense to initialize its
security context based on pathname at that time, because we have no real
runtime knowledge of its security properties and have presumably checked
its integrity in some manner prior to installation.
Alright. It seems to me then that files that are not copied in some
SELinux aware matter from an installer (ie new files created in /usr/lib
or whatever) should just be subject to normal UNIX security and SELinux
should not control them. Supporting SELinux would then become a feature of
newer installers, but older software would not break.
I have a feeling you can't selectively opt files out of SELinux like that
though.