On Mon, 2005-04-04 at 11:44 -0400, Deron Meranda wrote: > I was, though, expecting ls -Z to show the applied label. So the filesystem > context is being applied, but you can't see it via ls -Z? I guess that makes > sense now that I think about it, but it was a little surprising. I > kind of expected > the context= option to work somewhat like the uid= and gid= options as far > as it's visibility to ls. Unfortunately, no. ls -Z ultimately calls getxattr on the inode, and unless the filesystem implementation provides a getxattr method, you can't get that information. There has been discussion of putting a transparent redirect in the VFS so that if the filesystem implementation doesn't provide getxattr/setxattr on the security namespace, the VFS will automatically redirect the request to the security module (i.e. SELinux) and let it handle it based on the incore inode security context. > Also I think context= is what I want, versus fscontext=, since this is > an ISO9660 > filesystem that doesn't support extended attributes (xattr). Otherwise Apache > could see the filesystem, but not the individual files inside it. > Isn't that correct? I think for iso9660 they are effectively equivalent. It would make a difference for filesystems that have native xattr support. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
