| 1 |
On Sunday, November 16, 2003 at 4:33 PM, Chris PeBenito wrote: |
| 2 |
> On Sun, 2003-11-16 at 15:52, Tad wrote: |
| 3 |
> > I have been experimenting with running SELinux on filesystems other than |
| 4 |
> > ext2 and ext3. My first attempt was with reiserfs(3.6) plus some patches |
| 5 |
> > from SUSE. I was able to get it (sort of) working after I fixed a |
| 6 |
> locking |
| 7 |
> > issue. I found that it was a bit slow and tended to loose corrupt the |
| 8 |
> > context label. I decided that the xattr patch for reiserfs was just to |
| 9 |
> slow |
| 10 |
> > and hackish. |
| 11 |
> |
| 12 |
> Its unfortunate that ReiserFS only has those patches. I'm told that |
| 13 |
> Hans Reiser is against extended attributes, so Reiser4 may or may not |
| 14 |
> have them. |
| 15 |
|
| 16 |
Based on what I've read, the main reason for not adding xattr/acl to reiser3 |
| 17 |
was that it would require a format change and the subsequent code changes |
| 18 |
and test/debug cycles would take time away from finishing reiser4. |
| 19 |
|
| 20 |
Based on what I have read on www.namesys.com and what I could find in the |
| 21 |
reiser4 patch, I'd say that extended attributes will either be supported |
| 22 |
directly, or will be supported through a plug-in. |
| 23 |
|
| 24 |
> > To get SElinux to work on XFS all that seems needed is a minor change to |
| 25 |
> > xfs_iops.[hc] so that it will recognize and allow security.* xattrs. |
| 26 |
> I've |
| 27 |
> > made the changes, and created a 2.4.21 kernel with XFS, the ea+acl |
| 28 |
> patchset |
| 29 |
> > and SElinux. |
| 30 |
> > |
| 31 |
> > I'm testing my changes right now and would like to know if anyone else |
| 32 |
> is |
| 33 |
> > interested in a SElinux+xfs combination. |
| 34 |
> |
| 35 |
> I myself don't use XFS; however, if you drop a link to your fixed XFS |
| 36 |
> patches, and the patch to add the security. handling I'd be happy to |
| 37 |
> look at them, and possibly add them to selinux-sources. It would be |
| 38 |
> more difficult to add it to hardened-sources, but that is a possibility |
| 39 |
> too. |
| 40 |
|
| 41 |
My xfs patch is small and once I'm certain it works, I'll post it to the |
| 42 |
list along with a description of how I applied the other patches. |
| 43 |
|
| 44 |
At the moment it seems to work but has one odd side effect. When I do |
| 45 |
'getfattr -d <file>' is will list the selinux attr as "user.selinux". But if |
| 46 |
I do 'getfattr -n security.selinux <file>' it will list the same value. I |
| 47 |
think I'm going to have to make a few more changes. |
| 48 |
|
| 49 |
> What would be even more useful is if you could create a patch for 2.6. |
| 50 |
> Then we could test it, send it over to the NSA so they could try it out |
| 51 |
> too. If we could get it into 2.6, that'd be great. It would probably |
| 52 |
> have to be a configure option, like it is for ext[23]. |
| 53 |
|
| 54 |
Yes, that would be nice. If the 2.4 xfs patch works then porting to 2.6 will |
| 55 |
most likely be trivial. |
| 56 |
|
| 57 |
-Tad |
| 58 |
|
| 59 |
|
| 60 |
-- |
| 61 |
gentoo-hardened@g.o mailing list |
Archives