On 06/17/2015 08:37 AM, William Roberts wrote: > > > On Wed, Jun 17, 2015 at 5:24 AM, Stephen Smalley <[email protected] > <mailto:[email protected]>> wrote: > > On 06/17/2015 07:09 AM, William Roberts wrote: > > I was forgetting that ueventd and watchdogd are just symlinks back to > > init, not sure what the best approach is for them. Perhaps we could > > compute the "seclabel" implicitly from the linkfile label and > > setexecon() based on that. > > No, just keep using seclabel for them, please. > There are legitimate uses for seclabel; we just want to keep them > minimal > > > Yes I am not saying those are invalid uses of seclabel. However, to have > N different ways > of doing things is less than ideal. It should be either present and used > in many places, or dead completely. > If we leave support for it, its one more thing a policy author needs to > learn and understand. what are the > problems with computing it, we have the information available to > properly do so. We would likely want to > verify that the links resolve within the rootfs.
If you look further up in the thread, you'll see that Johan and I both pointed out cases where it is still legitimate and likely required to use seclabel. I don't believe you can kill it entirely. Relying on a symlink label is perilous and diverges even farther from normal SELinux behavior than just explicitly specifying the label via seclabel. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
