[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: copying selinux context

From: Paolo Bonzini
Subject: Re: copying selinux context
Date: Mon, 29 Jun 2009 00:49:07 +0200
User-agent: Thunderbird (X11/20081009)

About the return value of getfilecon: Why do you ignore only the ENOSYS error
and not also ENOTSUP and ENODATA?

I was copying what cp does.

       If the context does not exist, or the process has  no  access  to  this
       attribute, errno is set to ENODATA.

       If extended attributes are not supported by the filesystem, or are dis-
       abled, errno is set to ENOTSUP.

For ENOTSUP, I think you're right (though in practice SELinux will be disabled in this case, so getfilecon will not be called; even NFS is a supported filesystem).

For ENODATA, SELinux in permissive mode will never return it while in enforcing mode it is correct to treat it as an error. (In permissive mode security violations are reported to the user, but only as warnings).

I can try tomorrow
  2) We should also have a module that creates a new, empty file with the
     security context (uid, gid, mode, ACL and selinux context) of a given
I don't think so, because most of the time you want restrictive permissions until the file is complete.

Why? Is a portion of a file more sensitive than the entire file's contents?

Yes, for example "rm -rf /" is more sensitive than "rm -rf /tmp/blah".


reply via email to

[Prev in Thread] Current Thread [Next in Thread]