From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 12:42:19 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA1CF1065670; Thu, 12 Feb 2009 12:42:19 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from proxypop1.sarenet.es (proxypop1.sarenet.es [194.30.0.99]) by mx1.freebsd.org (Postfix) with ESMTP id 96FC28FC0A; Thu, 12 Feb 2009 12:42:19 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by proxypop1.sarenet.es (Postfix) with ESMTP id 7144E5C98; Thu, 12 Feb 2009 13:42:18 +0100 (CET) Message-Id: From: Borja Marcos To: Robert Watson In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 12 Feb 2009 13:42:17 +0100 References: <5F581D71-E6BF-487D-91F0-67EA6A21BA6E@SARENET.ES> <5CFEFF94-39B2-4CB6-9797-1F6B9EF73D41@SARENET.ES> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC subsystem and ZFS? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 12:42:20 -0000 On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: > This is the expected behavior for a single-label file system -- that > is to say, a file system that doesn't support storing multiple > labels. If EA support in ZFS is mature, it should be fairly > straight forward to implement multi-label support. The following > changes were made to UFS/UFS2 to support per-file label storage: Hmm. I see, I start to understand, but... Suppose I have a system without any multilabel support enabled. Is it possible to assign a different MAC label than the default to a single filesystem? For instance: Imagine I have everything with a default label of biba/ high and I want a biba/equal label just for /tmp, which is a different filesystem. I've tried creating a policy file to be used with setfsmac but I am unable to change that default label. Am I doing anything wrong? Or is multilabel support mandatory in order to assign a n label to a filesystem? What I've been trying now (and without ZFS) is: (without multi-label support enabled for any filesystems) - mount a filesystem, say, into /filesystem - it has the default biba/high(low-high),mls/low(low-high) label - try to change the label for the filesystem. setfmac newlabel /filesystem (fails) create a policy.conf stating a label for the new filesystem /filesystem biba/equal,mls/equal and trying to apply it setfsmac -vxf policy.conf /filesystem (fails) setfsmac -vxf policy.conf / (fails) Doing anything wrong or it's just not possible to change the MAC label from the default for a whole filesystem without any multi-label support in the system? Thank you very much again, Borja.