Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: what to do with matchpathcon on S_IFCHR, S_IFBLK, hard links and fifos Date: Wed, 1 Sep 2004 18:49:09 +0100
ta, l.
--
-- subject: Re: what to do with matchpathcon on S_IFCHR, S_IFBLK, hard links and fifos Date: Thu, 02 Sep 2004 08:02:45 -0400
Pass the mode; matchpathcon will take (mode & S_IFMT) and compare it with the file type specified in file_contexts (-b, -c, -d, -p, -l, -s, --, or nothing to match any file type). Multiple hard links are a separate issue; setfiles keeps track of inode->specification mappings as it traverses a filesystem and detects conflicts, but matchpathcon can't do that obviously. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: what to do with matchpathcon on S_IFCHR, S_IFBLK, hard links and fifos Date: Thu, 2 Sep 2004 14:44:54 +0100
> On Wed, 2004-09-01 at 13:49, Luke Kenneth Casson Leighton wrote: ta stephen. okay, second question, if i may. if i have set up file contexts on some files in a temporary directory (of course, using matchpathcon to set the context of where the file is _going_ to be not where it _is_), then will the "/bin/mv" command preserve those file contexts even across filesystem boundaries - without any extra arguments? if so i don't have to patch dpkg's use of mv, which would be good. ta, l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- <a href="http://lkcl.net"> lkcl.net </a> <br /> <a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br /> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_epoch.ncsc.mil> subject: Re: what to do with matchpathcon on S_IFCHR, S_IFBLK, hard links and fifos Date: Thu, 02 Sep 2004 09:38:36 -0400
With a SELinux-patched coreutils, yes; mv attempts to preserve the security context on the file even when moving across filesystem boundaries. But it cannot always succeed, e.g. the filesystem may not support xattrs or the policy may deny access due to file create permission or filesystem associate permission. -- Stephen Smalley <sds@epoch.ncsc.mil> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Luke Kenneth Casson Leighton <lkcl_at_lkcl.net> subject: Re: what to do with matchpathcon on S_IFCHR, S_IFBLK, hard links and fifos Date: Thu, 2 Sep 2004 18:12:59 +0100
... okay [this is for what i am considering for dpkg]. so in that case, dpkg's policy file may need updating: unlikely as it already allows files to be mv'd. ta. l. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |