Is there a way to set a default set of labels for newly created files based on file paths or role?
On Thu, Jun 21, 2007 at 16:18:43 -0500, Bruno Wolff III bruno@wolff.to wrote:
Is there a way to set a default set of labels for newly created files based on file paths or role?
The context of this question is from the point of the user who wants their files categorized automatically in most cases, based on either the directory the files are placed in or what role they are running as.
I think the semanage command can be used by system administrators to set defaults based on path names on behalf of users, but it would be nice if the users had a bit more control so they didn't have to bug the admins to set their defaults.
On Thu, Jun 21, 2007 at 16:18:43 -0500, Bruno Wolff III bruno@wolff.to wrote:
Is there a way to set a default set of labels for newly created files based on file paths or role?
I found information stating the default type comes from the type of the directory in which the file is created, but my testing indicates that the categories do not default to that of the directory the file is created in. They seem to come from your current context. I tried dropping categories using newrole with the -l option, but it wouldn't let me do that. "Error: you are not allowed to change levels on a non secure terminal"
On Fri, 22 Jun 2007, Bruno Wolff III wrote:
On Thu, Jun 21, 2007 at 16:18:43 -0500, Bruno Wolff III bruno@wolff.to wrote:
Is there a way to set a default set of labels for newly created files based on file paths or role?
I found information stating the default type comes from the type of the directory in which the file is created,
Not for MCS labels, though. MCS labels can't currently be applied to directories, although the potentially could, and then files created under the directories could receive MCS labels based upon the parent directory and the creating process. The idea was to keep it as absolutely simple as possible and for users to explicitly label each object with MCS labels (so there are no inheritance semantics, for example).
This whole area is under review, and there's been some discussion of using TE for user labeling (cc'd Karl and Stephen).
- James
On Sat, Jun 23, 2007 at 11:15:11 -0400, James Morris jmorris@namei.org wrote:
Not for MCS labels, though. MCS labels can't currently be applied to directories, although the potentially could, and then files created under the directories could receive MCS labels based upon the parent directory and the creating process. The idea was to keep it as absolutely simple as possible and for users to explicitly label each object with MCS labels (so there are no inheritance semantics, for example).
Thanks for the explanation.
selinux@lists.fedoraproject.org
-
Bruno Wolff III -
James Morris