Stephen Smalley wrote:
> On Sat, 2006-03-18 at 11:54 -0500, Daniel J Walsh wrote:
>
>> The answer is that is, if the file is created by a confined domain it
>> will be instantly. SELinux
>> aware application also create it instantly. This is more for the non
>> SELinux aware applicaitons.
>> So the example of the user creating the public_html directory.
>>
>> It happens very fast, as a matter of fact you can try this command to see it
>>
>> rmdir public_html; mkdir public_html; ls -ldZ public_html
>> drwxrwxr-x dwalsh dwalsh user_u:object_r:httpd_sys_content_t
>> public_html
>>
>> This should not be considered a failsafe security measure, but more of a
>> usability issue.
>> If you have an file that is of critical secuirty you might not want to
>> use this tool on it.
>>
>
> It shouldn't be applied to any directory writable by an untrusted entity
> (e.g. ~/public_html) unless you are taking some kind of safeguards to
> prevent it from being used as a way to relabel files outside the user's
> control via links.
>
>

Not sure what you mean. It is taking into account the users homedir. And the file. If public_html was not a directory it would be labeled user_home_t. I don't know how someone could cause the relabel to be a problem. I guess if the administrator was to start to add files in /tmp or ~/subdir/subdir/SecretFile. This could be a problem.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.