On Sat, 2008-05-31 at 04:27 -0400, Christoph Hellwig wrote:
quoted text
> On Thu, May 29, 2008 at 01:32:51PM +0200, Miklos Szeredi wrote:
> > Convert the selinux sysctl pathname computation code into a standalone
> > function.
> 
> No point bloating core kernel for selinux mess.  And this whole routine
> should rather go away rather than moving it to core code.  While doing
> pathname based lookup for the label might work for the limited case
> of sysctl where there are no symlinks but is a rather dumb idea in
> general.  And reconstructing this path from the sysctl tables is twice
> as dumb.

I didn't see an alternative for fine-grained labeling of sysctl - the
pathname was the only stable key I could use as an index into policy;
xattrs or the like didn't make sense there.  And generating the pathname
from the sysctl tables ensured that we obtained a stable result that
wasn't mutable by userspace.  Do you have an alternative suggestion?

-- 
Stephen Smalley
National Security Agency

--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/