Picking up on this: > Yeah I have ran into this before. In Samsung we just sent an OTA, as it was no big deal. We either need something like relabeld or a way for the kernel to set the security attribute at file open based on the policy, rather than needing to label.... I'm not a huge fan of labeling.
>> Labeling may be painful at times, but all the alternatives are far >> worse. And setting the security attribute at file open would defeat the >> entire purpose. Anyway, that's rather off-topic. >>> Can we start another thread on this, I would love to hear what you know on this. How would consulting the policy before the descriptor being handed out be a security issue? I could see their being performance issues, but considering we have named type transitions for files, isn't this really an extension of that? We assume that policies are never modified, and if someone can change the policy or the secuirty xattr, then they have won anyways. -- Respectfully, William C Roberts
