| 1 |
> On Wednesday, November 26, 2003 Chris PeBenito wrote: |
| 2 |
> |
| 3 |
> On Wed, 2003-11-19 at 00:03, Tad wrote: |
| 4 |
> > For anyone that is interested, I've created a patch to XFS that adds the |
| 5 |
> > security.* extended attribute namespace needed by SElinux. |
| 6 |
> |
| 7 |
> > The other option was to add true support for the security namespace. |
| 8 |
> |
| 9 |
> Due to some prodding from Primer on IRC, I had a talk with a XFS |
| 10 |
> developer in #xfs. And from what's been described, your implementation |
| 11 |
> sounded correct. I created a patch for 2.6.0-test10 using your patch. |
| 12 |
> I'll be seeing what the XFS people have to say about it. |
| 13 |
|
| 14 |
That's great. I hope they like it, or at least incorporate something that is |
| 15 |
functionally equivalent. |
| 16 |
|
| 17 |
If they don't accept it, I've also created an alternative patch that puts |
| 18 |
the security.* attributes under the XFS_ATTR_ROOT namespace (trusted.*). It |
| 19 |
works just as well but has the added benefit of not forcing the need to |
| 20 |
patch xfsdump. However, it's not as ideal because it occludes a segment of |
| 21 |
the available trusted.* namespace (trusted.security.*) and just feels more |
| 22 |
hackish. If anyone is interested in it, let me know and I'll post it. |
| 23 |
|
| 24 |
> http://dev.gentoo.org/~pebenito/xfs-security-namespace-2.6.0-test10.diff |
| 25 |
> |
| 26 |
> I have lightly tested this, and it does work correctly with SELinux. |
| 27 |
> The XFS line in the fs_use file in the policy would have to be |
| 28 |
> uncommented, and the policy reloaded. If people are interested, you can |
| 29 |
> try it out, but I wouldn't use it on anything important yet, in case |
| 30 |
> things change. |
| 31 |
> |
| 32 |
> XFS mounting filesystem loop0 |
| 33 |
> Ending clean XFS mount for filesystem: loop0 |
| 34 |
> SELinux: initialized (dev loop0, type xfs), uses xattr |
| 35 |
> |
| 36 |
> > I haven't looked at xfsdump/xfsrestore so I don't know if they will |
| 37 |
> require |
| 38 |
> > changes. I'm hoping that they take the flags field whole and don't do |
| 39 |
> > anything with it that could disrupt the new XFS_ATTR_SECURITY bit. |
| 40 |
> |
| 41 |
> I'll pass these concerns on to the XFS people. |
| 42 |
|
| 43 |
I looked at xfsdump and from what I saw it will need to be patched. |
| 44 |
|
| 45 |
-Tad |
| 46 |
|
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-hardened@g.o mailing list |
Archives