Re: file_type_auto_trans is not sufficient

[Ivan Gyurdiev <ivg2@xxxxxxxxxxx>]

> I'd advise against creating a composite interface like this, as it runs
> into the same problems that we had with the original SELinux API (which
> had extended forms of mkdir/creat/mknod/exec), i.e. use of glibc
> functions that internally use these functions, as you note in a later
> message.

I agree, that was a bad idea.

>   Instead, keep the setting and resetting of the fscreate
> context as a separate operation, and then let the application continue
> to use ordinary mkdir/create/mknod or glibc functions for the actual
> creation.

Yes, but there's problems with that - in particular:

- is this thread-safe - see my later message

- is this a good idea - it pushes dynamic type changes into various
programs, while otherwise it's all in the policy, and easier to analyze 

- makes virtually everything depend on libselinux

- I'm replicating the same code pattern in lots of places...

- it puts linux-specific code into otherwise portable apps. I've
surrounded it all by WITH_SELINUX, but it's still rather ugly - 
don't think upstream will like it.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.