Date: Thu, 12 Feb 2009 10:27:34 +0100 From: Borja Marcos <BORJAMAR@SARENET.ES> To: Robert Watson <rwatson@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: MAC subsystem and ZFS? Message-ID: <827FC0EC-0774-4957-A589-A0A566792DD9@SARENET.ES> In-Reply-To: <alpine.BSF.2.00.0902111739300.7455@fledge.watson.org> References: <5F581D71-E6BF-487D-91F0-67EA6A21BA6E@SARENET.ES> <alpine.BSF.2.00.0902072220480.89719@fledge.watson.org> <5CFEFF94-39B2-4CB6-9797-1F6B9EF73D41@SARENET.ES> <alpine.BSF.2.00.0902111739300.7455@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: > On Mon, 9 Feb 2009, Borja Marcos wrote: > >> On Feb 7, 2009, at 11:21 PM, Robert Watson wrote: >> >>>> I'm trying to upgrade the configuration of some web services, >>>> already using the MAC subsystem, to use ZFS instead of UFS, but I >>>> see that ZFS doesn't support MAC labels, even for a whole >>>> filesystem, which would be fine for me, I don't need multilabel >>>> support. >>>> Any ideas? Have I missed anything? >>> Hmmm. Sounds like a bug -- all file systems should be able to >>> operate in single-label mode, even if they don't support EAs and >>> multilabel mode. Could you describe the symptoms you're >>> experiencing in a bit more detail? >> >> I can read the MAC label from a ZFS dataset, but cannot change it. >> Example follows: > This is the expected behavior for a single-label file system -- that > is to say, a file system that doesn't support storing multiple > labels. If EA support in ZFS is mature, it should be fairly > straight forward to implement multi-label support. The following > changes were made to UFS/UFS2 to support per-file label storage: Hmm. But, expected to be unable to change the label for the whole filesystem? (ZFS dataset = filesystem) In my example, pool/test is a dataset, a separate filesystem. I'm not dealing with multi-label support and I know there's a serious problem to implement such EAs in ZFS, as far as I know. ZFS is designed to be interoperable, and a ZFS pool created in, say, FreeBSD or Mac OS X should be perfectly readable for, for example, Solaris. What happens to this kind of attributes that cannot be understood by the others? It's a pity that the usage of strong systems such as this MAC subsystem is only marginal... It's hard to standardize anything. Borja.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?827FC0EC-0774-4957-A589-A0A566792DD9>