Closed linux-gcc closed 1 year ago
In my interpretation https://github.com/SELinuxProject/selinux-notebook/blob/7eba84c76a68e8f284f5a33d3f0cd298655b6cbe/src/computing_security_contexts.md?plain=1#L171-L174
talks about the filesystem context (the one used for filesystem
access checks, like mount
, unmount
, etc.).
https://github.com/SELinuxProject/selinux-notebook/blob/7eba84c76a68e8f284f5a33d3f0cd298655b6cbe/src/file_labeling_statements.md?plain=1#L119-L122 talks about the file objects on it.
thanks! That is to say, for pseudo file systems, if there is no matching type_transition rule, the label of the pseudo file system uses the label of the creation process by default? For example, if a process mounts the tmpfs file system, the label of the tmpfs file system is the same as the process label? @cgzones
The tmpfs
filesystem is generally labeled via the fs_use_trans
statement.
fs_use_trans
is different from fs_use_task
, the former uses as default context for new created objects the parent context of the object (e.g. system_u:object_r:tmpfs_t
), while the latter uses the the context of the creating task (e.g. user_u:user_r:user_t
).
label of the tmpfs file system is the same as the process label
There is a difference between the label of the filesystem and the label of objects on/in that filesystem. The label of the filesystem generally does not depend on the process mounting it.
This repo isn't intended for general SELinux questions, but regardless It looks like this question is resolved so I'm going to go ahead and close this issue. @linux-gcc if you have any further SELinux questions that are not specific to The SELinux Notebook, I suggest joining the SELinux developers mailing list, the link to subscribe is below:
fs_use_task pipefs system_u:object_r:fs_t:s0 The type component defaults to the type of the target type if no matching type_transition rule was specified in the policy (policy version 28 allows a default_type of source or target to be defined)
What exactly does the target type described here mean? The above policy as an example, is it fs_t?