Re: [AppArmor 39/45] AppArmor: Profile loading andmanipulation,pathname matching

From: Tetsuo Handa <from-lsm@xxxxxxxxxxxxxxxxxxx>
Date: Sun, 17 Jun 2007 01:45:31 +0900

Greg KH wrote:

On Sun, Jun 17, 2007 at 12:44:08AM +0900, Tetsuo Handa wrote:

Can the daemon using inotify access to all pathnames in all process's
namespaces?

I don't see why not, do you?

Are the namespace the daemon has and the namespace of pathnames
notified via inotify always the same?

If they are in the same namespace, then yes, they will as far as I can
tell. Do you think this is incorrect?

At least, I think SELinux's "make relabel" can't relabel
files that are not in the namespace of "make" process.

I don't know how to use inotify, but what I worried is ...

If there are cases they are in different namespace,
it is impossible to relabel using userland daemon
(i.e. deferred-relabeling won't work)
unless all pathnames of all namespaces are somehow
accessible via inotify.

Thanks.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

References:
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Greg KH
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Crispin Cowan
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
  - From: Greg KH
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching
  - From: Tetsuo Handa
- Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching
  - From: Greg KH

Prev by Date: Re: 2.6.22-rc: regression: no irda0 interface (2.6.21 was OK), smsc does not find chip
Next by Date: Re: [PATCH] NFS: Make NFS root work again
Previous by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation,pathname matching
Next by thread: Re: [AppArmor 39/45] AppArmor: Profile loading and manipulation, pathname matching
Index(es):
- Date
- Thread

Relevant Pages

Re: [PATCH] audit: file system auditing based on location and name
... Now, as far as Inotify is concerned, how this is finally interpreted is up to ... >> the user space programs it's feeding. ... > Which should be the same as audit, ... >> ensures that it's auditable from any namespace. ...
(Linux-Kernel)
Re: [PATCH] audit: file system auditing based on location and name
... why would not inotify also want this functionality if you ... >> As inotify works off of open file descriptors, yes, this is true. ... > are both interested in reporting a subset of file system activity and could ... > ensures that it's auditable from any namespace. ...
(Linux-Kernel)
Re: F1 Help in VS 2005
... Glad you identified it as just the SqlClient ... > Hi Greg, ... > SqlClient namespace, but if you test with some other namespace, it works ... our product team engineer will follow this issue ...
(microsoft.public.vsnet.ide)
Re: Project level "Type not defined" error messsage.
... namespace for ASP.NET apps, anyway. ... "Greg Burns" wrote: ... > ProjectName as your root namespace your effective namespace will look like: ...
(microsoft.public.dotnet.languages.vb)
Re: RevInstr equivalent?
... If you don't want to use VB namespace, there is also the LastIndexOf method ... of the string class. ... Greg ...
(microsoft.public.dotnet.languages.vb)