lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1278684566.2494.226.camel@moss-terrapins.epoch.ncsc.mil>
Date:	Fri, 09 Jul 2010 10:09:26 -0400
From:	"David P. Quigley" <dpquigl@...ho.nsa.gov>
To:	James Morris <jmorris@...ei.org>
Cc:	hch@...radead.org, viro@...iv.linux.org.uk, casey@...aufler-ca.com,
	sds@...ho.nsa.gov, "Matthew N. Dodd" <matthew.dodd@...rta.com>,
	trond.myklebust@....uio.no, bfields@...ldses.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
	linux-nfs@...r.kernel.org
Subject: Re: [PATCH 04/10] SELinux: Add new labeling type native labels

On Fri, 2010-07-09 at 08:33 +1000, James Morris wrote:
> On Thu, 8 Jul 2010, David P. Quigley wrote:
> 
> > > Otherwise, this is a global policy decision which affects all NFSv4 
> > > mounts, right?
> > > 
> > > 
> > 
> > I don't believe we have that ability in any other file system.
> 
> NFS is quite different to other filesystems.  Your files are on other 
> systems, for example, which may or may not support security labeling.

And if that is the case then the capability flag does not get set in the
NFSv4 server caps and we don't use security label support on that mount.

> 
> > If you want to decide that you want to use genfs style labels on NFSv4 
> > just use a context mount.
> 
> So, we enable this feature, and virtually all existing mounts break 
> because the servers do not support labeling.

No it should default back to being nfs_t which is what happens when I
use my client on an export that doesn't have security_label set.

> 
> > That way you can have the default behavior be 
> > use security label support unless you don't want to and then you can 
> > have a context mount.
> 
> It needs to be the other way around.  This is a new feature, so the 
> default needs to be the existing behavior, with security labeling as an 
> option to enable at mount time.

We made sure it falls back properly. It was decided a long time ago with
discussion by several people that having it default to use it if its
there otherwise fall back to the old behavior makes much more sense to
an administrator.

> 
> 
> 
> - James

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ