Re: file_type_auto_trans is not sufficient

On Tue, May 31, 2005 at 10:57:20AM -0400, Ivan Gyurdiev wrote:
> 
> > The other option, of course, is to change the applications to use/create many
> > more directories, each with a separate type to allow the file_type_auto_trans
> > rules to work. Your orbit example might mean that there is a /tmp/orbit
> > directory where all orbit files are created.
> 
> The problem is not multiple source domains - that can be addressed
> through macros. The problem is that those domains use the same directory
> (Usually /tmp, or /home), for their own purposes, and they need the same
> transition (same directory and target class (dir/file)). 
> 
> Because you can have only one transition, this creates a problem.
 
 ...

 thinking "sideways" again - as i am wont to do.

 how about... a "sideways" solution to this - at the kernel level?

 a "silent" redirection / remount, on a per-application basis?

 no, i'm not joking.

 an option to "mount" which allows a specific APPLICATION (or group of
 applications) to have any files/directories it creates/accesses in a
 subdirectory ACTUALLY occur ELSEWHERE.

 e.g.:

 mount -o redirectexe=/usr/bin/mozilla-firefox /tmp /tmp/mozilla
 mount -o redirectexe=/usr/bin/gnomeshite,/usr/bin/gnomemoreshite /tmp /tmp/gconf

 hm, that could get out-of-hand - the number of programs involved
 that would need redirection..

 *thinks* ... some other mechanism for "grouping" executables...

 you could even hang it off of an selinux context (!) or selinux domain
 (!) such that a set of executables, possibly those executed by
 certain users, would result in filesystem redirection - but not others.

 at your own discretion.

 then, you _could_ specify /tmp/gconf equals "a different file context".

 l.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: file_type_auto_trans is not sufficient
    • From: Stephen Smalley <[email protected]>

• Prev by Date: Re: [PATCH] pci-sysfs: backport fix for 2.6.11.12
• Next by Date: Re: DocBook build failures, and graphical figures
• Previous by thread: Linux 2.4.31-rc2
• Next by thread: Re: file_type_auto_trans is not sufficient
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]