From owner-freebsd-security@FreeBSD.ORG Thu Feb 12 09:27:37 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 122801065676; Thu, 12 Feb 2009 09:27:37 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from proxypop1.sarenet.es (proxypop1.sarenet.es [194.30.0.99]) by mx1.freebsd.org (Postfix) with ESMTP id C3E498FC1D; Thu, 12 Feb 2009 09:27:36 +0000 (UTC) (envelope-from BORJAMAR@SARENET.ES) Received: from [127.0.0.1] (matahari.sarenet.es [192.148.167.18]) by proxypop1.sarenet.es (Postfix) with ESMTP id 1E39D5D91; Thu, 12 Feb 2009 10:27:35 +0100 (CET) Message-Id: <827FC0EC-0774-4957-A589-A0A566792DD9@SARENET.ES> From: Borja Marcos To: Robert Watson In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 12 Feb 2009 10:27:34 +0100 References: <5F581D71-E6BF-487D-91F0-67EA6A21BA6E@SARENET.ES> <5CFEFF94-39B2-4CB6-9797-1F6B9EF73D41@SARENET.ES> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-security@freebsd.org Subject: Re: MAC subsystem and ZFS? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 09:27:37 -0000 On Feb 11, 2009, at 6:52 PM, Robert Watson wrote: > On Mon, 9 Feb 2009, Borja Marcos wrote: > >> On Feb 7, 2009, at 11:21 PM, Robert Watson wrote: >> >>>> I'm trying to upgrade the configuration of some web services, >>>> already using the MAC subsystem, to use ZFS instead of UFS, but I >>>> see that ZFS doesn't support MAC labels, even for a whole >>>> filesystem, which would be fine for me, I don't need multilabel >>>> support. >>>> Any ideas? Have I missed anything? >>> Hmmm. Sounds like a bug -- all file systems should be able to >>> operate in single-label mode, even if they don't support EAs and >>> multilabel mode. Could you describe the symptoms you're >>> experiencing in a bit more detail? >> >> I can read the MAC label from a ZFS dataset, but cannot change it. >> Example follows: > This is the expected behavior for a single-label file system -- that > is to say, a file system that doesn't support storing multiple > labels. If EA support in ZFS is mature, it should be fairly > straight forward to implement multi-label support. The following > changes were made to UFS/UFS2 to support per-file label storage: Hmm. But, expected to be unable to change the label for the whole filesystem? (ZFS dataset = filesystem) In my example, pool/test is a dataset, a separate filesystem. I'm not dealing with multi-label support and I know there's a serious problem to implement such EAs in ZFS, as far as I know. ZFS is designed to be interoperable, and a ZFS pool created in, say, FreeBSD or Mac OS X should be perfectly readable for, for example, Solaris. What happens to this kind of attributes that cannot be understood by the others? It's a pity that the usage of strong systems such as this MAC subsystem is only marginal... It's hard to standardize anything. Borja.