lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1185798467.15215.12.camel@moss-spartans.epoch.ncsc.mil>
Date:	Mon, 30 Jul 2007 08:27:47 -0400
From:	Stephen Smalley <sds@...ho.nsa.gov>
To:	David Chinner <dgc@....com>
Cc:	xfs-masters@....sgi.com, chrisw@...s-sol.org,
	linux-security-module@...r.kernel.org, jmorris@...ei.org,
	eparis@...isplace.org, linux-ext4@...r.kernel.org,
	reiserfs-devel@...r.kernel.org,
	jfs-discussion@...ts.sourceforge.net, jffs-dev@...s.com
Subject: Re: [xfs-masters] [RFC: 2.6 patch] make the *FS_SECURITY options
	no longer user visible

On Mon, 2007-07-30 at 09:29 +1000, David Chinner wrote:
> On Sun, Jul 29, 2007 at 05:02:09PM +0200, Adrian Bunk wrote:
> > Please correct me if any of the following assumptions is wrong:
> > - SELinux is currently the only user of filesystem security labels
> >   shipped with the Linux kernel
> > - if a user has SELinux enabled he wants his filesystems to support
> >   security labels
> > 
> > Based on these assumption, it doesn't make sense to have the
> > *FS_SECURITY user visible since we can perfectly determine automatically 
> > when turning them on makes sense.
> 
> Hmmm. The code in XFS is not dependent on selinux, but this change
> would mean that testing the security xattr namespace would require a
> selinux enabled kernel.
> 
> I agree that the default for these should be "y" and selected if
> selinux is enabled, but forcing us to use selinux enabled kernels
> (on distro's that may not support selinux) just to test the
> security xattr namespace is a bit of a pain.

You can enable SECURITY_SELINUX in the kernel config but still have it
boot disabled by default via SECURITY_SELINUX_BOOTPARAM_VALUE=0.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ