Date: Thu, 12 Feb 2009 13:42:17 +0100 From: Borja Marcos <BORJAMAR@SARENET.ES> To: Robert Watson <rwatson@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: MAC subsystem and ZFS? Message-ID: <BBB59AA0-10F1-4649-8FBF-6CC9DA405FE2@SARENET.ES> In-Reply-To: <alpine.BSF.2.00.0902111739300.7455@fledge.watson.org> References: <5F581D71-E6BF-487D-91F0-67EA6A21BA6E@SARENET.ES> <alpine.BSF.2.00.0902072220480.89719@fledge.watson.org> <5CFEFF94-39B2-4CB6-9797-1F6B9EF73D41@SARENET.ES> <alpine.BSF.2.00.0902111739300.7455@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: > This is the expected behavior for a single-label file system -- that > is to say, a file system that doesn't support storing multiple > labels. If EA support in ZFS is mature, it should be fairly > straight forward to implement multi-label support. The following > changes were made to UFS/UFS2 to support per-file label storage: Hmm. I see, I start to understand, but... Suppose I have a system without any multilabel support enabled. Is it possible to assign a different MAC label than the default to a single filesystem? For instance: Imagine I have everything with a default label of biba/ high and I want a biba/equal label just for /tmp, which is a different filesystem. I've tried creating a policy file to be used with setfsmac but I am unable to change that default label. Am I doing anything wrong? Or is multilabel support mandatory in order to assign a n label to a filesystem? What I've been trying now (and without ZFS) is: (without multi-label support enabled for any filesystems) - mount a filesystem, say, into /filesystem - it has the default biba/high(low-high),mls/low(low-high) label - try to change the label for the filesystem. setfmac newlabel /filesystem (fails) create a policy.conf stating a label for the new filesystem /filesystem biba/equal,mls/equal and trying to apply it setfsmac -vxf policy.conf /filesystem (fails) setfsmac -vxf policy.conf / (fails) Doing anything wrong or it's just not possible to change the MAC label from the default for a whole filesystem without any multi-label support in the system? Thank you very much again, Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BBB59AA0-10F1-4649-8FBF-6CC9DA405FE2>