Re: MAC subsystem and ZFS?

On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:

This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. If EA support in ZFS is mature, it should be fairly straight forward to implement multi-label support. The following changes were made to UFS/UFS2 to support per-file label storage:

Hmm. I see, I start to understand, but...

Suppose I have a system without any multilabel support enabled. Is it possible to assign a different MAC label than the default to a single filesystem?

For instance: Imagine I have everything with a default label of biba/ high and I want a biba/equal label just for /tmp, which is a different filesystem.

I've tried creating a policy file to be used with setfsmac but I am unable to change that default label.

Am I doing anything wrong? Or is multilabel support mandatory in order to assign a n label to a filesystem?

What I've been trying now (and without ZFS) is:

(without multi-label support enabled for any filesystems)

- mount a filesystem, say, into /filesystem

- it has the default biba/high(low-high),mls/low(low-high) label

- try to change the label for the filesystem.

setfmac newlabel /filesystem (fails)

create a policy.conf stating a label for the new filesystem

/filesystem biba/equal,mls/equal

and trying to apply it
setfsmac -vxf policy.conf /filesystem (fails)
setfsmac -vxf policy.conf / (fails)

Doing anything wrong or it's just not possible to change the MAC label from the default for a whole filesystem without any multi-label support in the system?

Thank you very much again,


freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"