Date: Wed, 12 Jun 2013 17:40:22 +1000 From: "Dewayne Geraghty" <dewayne.geraghty@heuristicsystems.com.au> To: <priit@cc.ttu.ee> Cc: freebsd-security@freebsd.org Subject: RE: libarchive and MAC labels Message-ID: <62DD3F47DDCD4105AC023171CCF8BDA2@white> In-Reply-To: <alpine.LNX.2.03.1306101748380.429@chu> References: <alpine.LNX.2.03.1306101748380.429@chu>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > priit@cc.ttu.ee > Sent: Tuesday, 11 June 2013 1:10 AM > To: freebsd-security@freebsd.org > Subject: libarchive and MAC labels > > I've created a patch for libarchive that allows storing and > restoring MAC labels from/to a multilabel filesystem using > bsdtar. Now before going anywhere with this I had a few questions: > > - how much general interest is there in such a feature? Would > this be a welcome addition to libarchive, either "upstream" > or as integrated in the system source tree. I would be > especially interested in the opinion of people who have > already been involved with the MAC development. > > - right now the labels are stored silently, similar to ACL-s > and extended attributes. They are not extracted by default, > only when the '-p' option is specified (default as root). > This seems consistent, however it would also be possible to > add a switch so that the labels wouldn't be archived unless > explicitly requested. > > - the labels are stored in text representation, as converted > by mac_to_text(). This could potentially cause some future > breakage, if the text representation ever changes. Also, > restoring a label partially (let's say a biba+MLS label with > only biba enabled) does not work. Any thoughts on that? > > Thanks, > Priit. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" Priit, Thank-you for addressing a significant backup/recovery shortcoming. I've used biba extensively, however if files/directories are backed-up with MLS+biba and recovered in a biba only environment, that is the sysadmin choice. Warning messages are fine, but the restoration should continue (if possible). Regards, Dewayne.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62DD3F47DDCD4105AC023171CCF8BDA2>