On Wed, Dec 08, 2010 at 02:45:27PM -0500, Eric Paris wrote:
> SELinux would like to implement a new labeling behavior of newly created
> inodes. We currently label new inodes based on the parent and the creating
> process. This new behavior would also take into account the name of the
> new objec
On Thu, 2010-12-09 at 12:48 -0500, John Stoffel wrote:
> > "Eric" == Eric Paris writes:
>
> Eric> On Thu, 2010-12-09 at 10:05 -0500, John Stoffel wrote:
> >> > "Eric" == Eric Paris writes:
>
> Eric> This patch adds a 4th piece of information, the name of the
> Eric> object being created
> "Eric" == Eric Paris writes:
Eric> On Thu, 2010-12-09 at 10:05 -0500, John Stoffel wrote:
>> > "Eric" == Eric Paris writes:
>> So what happens when I create a file /home/john/shadow, does selinux
>> (or LSM in general) then run extra checks because the filename is
>> 'shadow' in your
Quoting John Stoffel (j...@stoffel.org):
> > "Eric" == Eric Paris writes:
>
> Eric> SELinux would like to implement a new labeling behavior of newly
> Eric> created inodes. We currently label new inodes based on the
> Eric> parent and the creating process. This new behavior would also
> Eri
On Thu, 2010-12-09 at 10:05 -0500, John Stoffel wrote:
> > "Eric" == Eric Paris writes:
> So what happens when I create a file /home/john/shadow, does selinux
> (or LSM in general) then run extra checks because the filename is
> 'shadow' in your model?
It's entirely a question of labeling
> "Eric" == Eric Paris writes:
Eric> SELinux would like to implement a new labeling behavior of newly
Eric> created inodes. We currently label new inodes based on the
Eric> parent and the creating process. This new behavior would also
Eric> take into account the name of the new object when
