From owner-freebsd-hackers Tue Apr 10 7:46:16 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8B69C37B43C for ; Tue, 10 Apr 2001 07:46:14 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f3AEkjf71377; Tue, 10 Apr 2001 10:46:46 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 10 Apr 2001 10:46:45 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Alex Zepeda Cc: Attila Nagy , hackers@freebsd.org Subject: Re: Mounting partitions with RO flag In-Reply-To: <20010408151108.A1159@zippy.mybox.zip> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 8 Apr 2001, Alex Zepeda wrote: > On Sun, Apr 08, 2001 at 09:13:15PM +0200, Attila Nagy wrote: > > > So I am wondering, why the unices block mounting an already mounted > > partition read only again. > > Have you considered using ACLs perhaps? Sure it's not in -STABLE, but > it's a thought.. ACLs are a form of discretionary access control, and as such can't impose mandatory read-only behavior for processes in a jail. For that, you want mandatory access control, a feature still under development as part of TrustedBSD. However, mandatory file labeling substantially complicates file system management, and jail provides a simple substitute by using chroot, a choice that seems wise to me :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message