On 06/10/2014 03:35 PM, Dinesh Garg wrote: > Since partition number is not fixed, following hammerhead example would > lead to providing access to all partitions eventually. This would be no > better than rule created using denial logs. > > Similarly, specifying real path in policy is not possible. > > I am not sure if xattr supports storing multiple labels for the same > file. In that case, labels for symlinks can be stored in the same node.
What do you mean by "partition number is not fixed"? When and how does it get assigned? You can only set a single security.selinux attribute on a given file. The labels to assign when the files are created by ueventd are determined from the file_contexts configuration. So, one could modify ueventd to take the link names, look them up, and use the context specified for them instead of the context specified for the device node path. But how do you know which one to use if there are multiple links to the device node, or how do you know which one to use if there is an entry for the link name and for the device path in file_contexts? Which one wins? (And since everything will at least match /dev/(/.*)?, we'd have to explicitly check for that in ueventd and treat it as a no-match to distinguish when an entry is specified). _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
