1 |
On Sunday, November 16, 2003 at 4:33 PM, Chris PeBenito wrote: |
2 |
> On Sun, 2003-11-16 at 15:52, Tad wrote: |
3 |
> > I have been experimenting with running SELinux on filesystems other than |
4 |
> > ext2 and ext3. My first attempt was with reiserfs(3.6) plus some patches |
5 |
> > from SUSE. I was able to get it (sort of) working after I fixed a |
6 |
> locking |
7 |
> > issue. I found that it was a bit slow and tended to loose corrupt the |
8 |
> > context label. I decided that the xattr patch for reiserfs was just to |
9 |
> slow |
10 |
> > and hackish. |
11 |
> |
12 |
> Its unfortunate that ReiserFS only has those patches. I'm told that |
13 |
> Hans Reiser is against extended attributes, so Reiser4 may or may not |
14 |
> have them. |
15 |
|
16 |
Based on what I've read, the main reason for not adding xattr/acl to reiser3 |
17 |
was that it would require a format change and the subsequent code changes |
18 |
and test/debug cycles would take time away from finishing reiser4. |
19 |
|
20 |
Based on what I have read on www.namesys.com and what I could find in the |
21 |
reiser4 patch, I'd say that extended attributes will either be supported |
22 |
directly, or will be supported through a plug-in. |
23 |
|
24 |
> > To get SElinux to work on XFS all that seems needed is a minor change to |
25 |
> > xfs_iops.[hc] so that it will recognize and allow security.* xattrs. |
26 |
> I've |
27 |
> > made the changes, and created a 2.4.21 kernel with XFS, the ea+acl |
28 |
> patchset |
29 |
> > and SElinux. |
30 |
> > |
31 |
> > I'm testing my changes right now and would like to know if anyone else |
32 |
> is |
33 |
> > interested in a SElinux+xfs combination. |
34 |
> |
35 |
> I myself don't use XFS; however, if you drop a link to your fixed XFS |
36 |
> patches, and the patch to add the security. handling I'd be happy to |
37 |
> look at them, and possibly add them to selinux-sources. It would be |
38 |
> more difficult to add it to hardened-sources, but that is a possibility |
39 |
> too. |
40 |
|
41 |
My xfs patch is small and once I'm certain it works, I'll post it to the |
42 |
list along with a description of how I applied the other patches. |
43 |
|
44 |
At the moment it seems to work but has one odd side effect. When I do |
45 |
'getfattr -d <file>' is will list the selinux attr as "user.selinux". But if |
46 |
I do 'getfattr -n security.selinux <file>' it will list the same value. I |
47 |
think I'm going to have to make a few more changes. |
48 |
|
49 |
> What would be even more useful is if you could create a patch for 2.6. |
50 |
> Then we could test it, send it over to the NSA so they could try it out |
51 |
> too. If we could get it into 2.6, that'd be great. It would probably |
52 |
> have to be a configure option, like it is for ext[23]. |
53 |
|
54 |
Yes, that would be nice. If the 2.4 xfs patch works then porting to 2.6 will |
55 |
most likely be trivial. |
56 |
|
57 |
-Tad |
58 |
|
59 |
|
60 |
-- |
61 |
gentoo-hardened@g.o mailing list |