Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030651AbWKOQW7 (ORCPT ); Wed, 15 Nov 2006 11:22:59 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1030655AbWKOQW7 (ORCPT ); Wed, 15 Nov 2006 11:22:59 -0500 Received: from mail7.sea5.speakeasy.net ([69.17.117.9]:1220 "EHLO mail7.sea5.speakeasy.net") by vger.kernel.org with ESMTP id S1030651AbWKOQW6 (ORCPT ); Wed, 15 Nov 2006 11:22:58 -0500 Date: Wed, 15 Nov 2006 11:22:55 -0500 (EST) From: James Morris X-X-Sender: jmorris@d.namei To: David Howells cc: Linus Torvalds , Andrew Morton , Stephen Smalley , trond.myklebust@fys.uio.no, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, aviro@redhat.com, steved@redhat.com Subject: Re: [PATCH 12/19] CacheFiles: Permit a process's create SID to be overridden In-Reply-To: <24555.1163598644@redhat.com> Message-ID: References: <20061114200621.12943.18023.stgit@warthog.cambridge.redhat.com> <20061114200647.12943.39802.stgit@warthog.cambridge.redhat.com> <24555.1163598644@redhat.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 837 Lines: 29 On Wed, 15 Nov 2006, David Howells wrote: > James Morris wrote: > > > The ability to set this needs to be mediated via MAC policy. > > Something like this, you mean? Yes, although perhaps writing to tsec->kern_create_sid or similar, which then overrides tsec->create_sid if set. Also need /proc/pid/attr/kern_fscreate as a read only node. > + error = task_has_perm(current, current, PROCESS__SETFSCREATE); I wonder if we also need 'relabelto' and 'relabelfrom' permissions, to control which labels are being used. - James -- James Morris - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/