Re: MAC subsystem and ZFS?
- From: Borja Marcos <BORJAMAR@xxxxxxxxxx>
- Date: Thu, 12 Feb 2009 13:42:17 +0100
On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:
This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. If EA support in ZFS is mature, it should be fairly straight forward to implement multi-label support. The following changes were made to UFS/UFS2 to support per-file label storage:
Hmm. I see, I start to understand, but...
Suppose I have a system without any multilabel support enabled. Is it possible to assign a different MAC label than the default to a single filesystem?
For instance: Imagine I have everything with a default label of biba/ high and I want a biba/equal label just for /tmp, which is a different filesystem.
I've tried creating a policy file to be used with setfsmac but I am unable to change that default label.
Am I doing anything wrong? Or is multilabel support mandatory in order to assign a n label to a filesystem?
What I've been trying now (and without ZFS) is:
(without multi-label support enabled for any filesystems)
- mount a filesystem, say, into /filesystem
- it has the default biba/high(low-high),mls/low(low-high) label
- try to change the label for the filesystem.
setfmac newlabel /filesystem (fails)
create a policy.conf stating a label for the new filesystem
and trying to apply it
setfsmac -vxf policy.conf /filesystem (fails)
setfsmac -vxf policy.conf / (fails)
Doing anything wrong or it's just not possible to change the MAC label from the default for a whole filesystem without any multi-label support in the system?
Thank you very much again,
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: OPIE considered insecure
- Next by Date: Re: OPIE considered insecure
- Previous by thread: Re: MAC subsystem and ZFS?
- Next by thread: OPIE considered insecure