https://lwn.net/Articles/419161/ This is a special feed containing comments posted to the individual LWN article titled "Pathname-based hooks for SELinux?". en-us Tue, 23 Sep 2025 20:22:38 +0000 Tue, 23 Sep 2025 20:22:38 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/419576/ https://lwn.net/Articles/419576/ jthill <p><blockquote><i>"I see. Pathname based controls. In SELinux."</i></blockquote> <p>But this isn't pathname-based access controls at all. <p>It's delegation of labeling responsibility. If you have labeling authority, either you do all the labeling yourself or you delegate the responsibility, to a human or to a computer, and to do that you must give instructions. <p>The security labels are applied directly to the object; its name is immediately completely irrelevant, and that's just as it should be. Sun, 12 Dec 2010 03:41:49 +0000 https://lwn.net/Articles/419568/ https://lwn.net/Articles/419568/ drag <div class="FormattedComment"> From a user/admin standpoint it never made much sense to me that the same data in a file system could have multiple different permissions associated with it. It's just asking for trouble if I could have a filename that was only root readable on one hand, but have the same data world writable on the other hand just based on how they are referenced in the directory tree.<br> <p> This does seem like the right way to go.<br> <p> <p> </div> Sat, 11 Dec 2010 22:20:11 +0000 https://lwn.net/Articles/419381/ https://lwn.net/Articles/419381/ dcg <div class="FormattedComment"> "SELinux very much so is and will continue to be based solely on label based controls."<br> <p> And I thought SELinux developers had finally decided to fix the mess and make it usable by normal people... :/<br> <p> (IMO SELinux would be a good example for the design pattern articles: theorically beautiful, but in practice a good part of their userspace exists to workaround problems caused by it - including a semiautomatic system to submit selinux problems to the bugzilla and get the a fedora update for the policy package!)<br> </div> Fri, 10 Dec 2010 00:50:08 +0000 https://lwn.net/Articles/419296/ https://lwn.net/Articles/419296/ spender <div class="FormattedComment"> Somehow escaping the inode/pathname discussion, I've been using the hybrid approach in grsecurity's RBAC system since it was created and even before it had role support. I knew since the beginning it was an important common-case situation for both usability and policy enforcement. Good to hear people are catching up with what I was doing in 2001.<br> <p> -Brad<br> </div> Thu, 09 Dec 2010 13:53:36 +0000