Re: MAC subsystem and ZFS?




On Feb 11, 2009, at 6:52 PM, Robert Watson wrote:

This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. If EA support in ZFS is mature, it should be fairly straight forward to implement multi-label support. The following changes were made to UFS/UFS2 to support per-file label storage:

Hmm. I see, I start to understand, but...

Suppose I have a system without any multilabel support enabled. Is it possible to assign a different MAC label than the default to a single filesystem?

For instance: Imagine I have everything with a default label of biba/ high and I want a biba/equal label just for /tmp, which is a different filesystem.

I've tried creating a policy file to be used with setfsmac but I am unable to change that default label.

Am I doing anything wrong? Or is multilabel support mandatory in order to assign a n label to a filesystem?

What I've been trying now (and without ZFS) is:

(without multi-label support enabled for any filesystems)

- mount a filesystem, say, into /filesystem

- it has the default biba/high(low-high),mls/low(low-high) label

- try to change the label for the filesystem.

setfmac newlabel /filesystem (fails)


create a policy.conf stating a label for the new filesystem

/filesystem biba/equal,mls/equal

and trying to apply it
setfsmac -vxf policy.conf /filesystem (fails)
setfsmac -vxf policy.conf / (fails)

Doing anything wrong or it's just not possible to change the MAC label from the default for a whole filesystem without any multi-label support in the system?


Thank you very much again,





Borja.

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: MAC subsystem and ZFS?
    ... already using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS doesn't support MAC labels, even for a whole filesystem, which would be fine for me, I don't need multilabel support. ... I can read the MAC label from a ZFS dataset, ...
    (FreeBSD-Security)
  • RE: dcom permissions and vista?
    ... user BLAH with Local Activation and Local Launch permissions. ... Windows Vista introduces the notion of Mandatory Access Labels in security ... The label is specified in the system access control list ... Microsoft Online Community Support ...
    (microsoft.public.vc.atl)
  • Re: MAC subsystem and ZFS?
    ... using the MAC subsystem, to use ZFS instead of UFS, but I see that ZFS doesn't support MAC labels, even for a whole filesystem, which would be fine for me, I don't need multilabel support. ... I can read the MAC label from a ZFS dataset, ... This is the expected behavior for a single-label file system -- that is to say, a file system that doesn't support storing multiple labels. ...
    (FreeBSD-Security)
  • RE: Compact Framework 2.0, transparent label over picture box
    ... I will create the customize label instead of the standard label. ... Make our own custom Label control to support transparent background. ... nature are best handled working with a dedicated Microsoft Support Engineer ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: ViewState is late when building own Controls with different subcontrols
    ... create the TextBox and Label in CreateChildControls; ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)