1 |
> On Wednesday, November 26, 2003 Chris PeBenito wrote: |
2 |
> |
3 |
> On Wed, 2003-11-19 at 00:03, Tad wrote: |
4 |
> > For anyone that is interested, I've created a patch to XFS that adds the |
5 |
> > security.* extended attribute namespace needed by SElinux. |
6 |
> |
7 |
> > The other option was to add true support for the security namespace. |
8 |
> |
9 |
> Due to some prodding from Primer on IRC, I had a talk with a XFS |
10 |
> developer in #xfs. And from what's been described, your implementation |
11 |
> sounded correct. I created a patch for 2.6.0-test10 using your patch. |
12 |
> I'll be seeing what the XFS people have to say about it. |
13 |
|
14 |
That's great. I hope they like it, or at least incorporate something that is |
15 |
functionally equivalent. |
16 |
|
17 |
If they don't accept it, I've also created an alternative patch that puts |
18 |
the security.* attributes under the XFS_ATTR_ROOT namespace (trusted.*). It |
19 |
works just as well but has the added benefit of not forcing the need to |
20 |
patch xfsdump. However, it's not as ideal because it occludes a segment of |
21 |
the available trusted.* namespace (trusted.security.*) and just feels more |
22 |
hackish. If anyone is interested in it, let me know and I'll post it. |
23 |
|
24 |
> http://dev.gentoo.org/~pebenito/xfs-security-namespace-2.6.0-test10.diff |
25 |
> |
26 |
> I have lightly tested this, and it does work correctly with SELinux. |
27 |
> The XFS line in the fs_use file in the policy would have to be |
28 |
> uncommented, and the policy reloaded. If people are interested, you can |
29 |
> try it out, but I wouldn't use it on anything important yet, in case |
30 |
> things change. |
31 |
> |
32 |
> XFS mounting filesystem loop0 |
33 |
> Ending clean XFS mount for filesystem: loop0 |
34 |
> SELinux: initialized (dev loop0, type xfs), uses xattr |
35 |
> |
36 |
> > I haven't looked at xfsdump/xfsrestore so I don't know if they will |
37 |
> require |
38 |
> > changes. I'm hoping that they take the flags field whole and don't do |
39 |
> > anything with it that could disrupt the new XFS_ATTR_SECURITY bit. |
40 |
> |
41 |
> I'll pass these concerns on to the XFS people. |
42 |
|
43 |
I looked at xfsdump and from what I saw it will need to be patched. |
44 |
|
45 |
-Tad |
46 |
|
47 |
|
48 |
-- |
49 |
gentoo-hardened@g.o mailing list |