Tar storage of SELinux context, translated or not

Tar storage of SELinux context, translated or not

[James Antill]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]


 As some of you know, I have done patches to make GNUtar able to
save/restore ACLs, SELinux context and generic user xattrs. I've
recently had to fixup the ACL support for compatibility with star etc.,
and for a couple of reasons that got me thinking about the SELinux
support as well.

 I had originally decided that the SELinux security context should be
stored in translated form, Ie. getfilecon => tar => setfilecon, my
thinking was that if you want to store something over a long period this
is the better format ... but as I think more about it now I'm not 100%
convinced (for instance, AIUI ipsec etc. uses raw format to distribute
context between machines).
 With the current changes, this is a great time to change it (but I
really, really, don't want to have an option either way) ... if we want
to. So should I change it to non-translated?

-- 
James Antill <jantill@redhat.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Tar storage of SELinux context, translated or not

[Paul Moore]

On Wednesday, January 10 2007 11:53 am, James Antill wrote:
>  As some of you know, I have done patches to make GNUtar able to
> save/restore ACLs, SELinux context and generic user xattrs. I've
> recently had to fixup the ACL support for compatibility with star etc.,
> and for a couple of reasons that got me thinking about the SELinux
> support as well.
>
>  I had originally decided that the SELinux security context should be
> stored in translated form, Ie. getfilecon => tar => setfilecon, my
> thinking was that if you want to store something over a long period this
> is the better format ... but as I think more about it now I'm not 100%
> convinced (for instance, AIUI ipsec etc. uses raw format to distribute
> context between machines).
>  With the current changes, this is a great time to change it (but I
> really, really, don't want to have an option either way) ... if we want
> to. So should I change it to non-translated?

Regardless of what the tar command does, you could always have the tarfile 
format allow either (store both the context string as well as a flag 
indicating if the context was translated).  This way if things change down 
the road all the existing tar files are still valid.

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Tar storage of SELinux context, translated or not

[Stephen Smalley]

On Wed, 2007-01-10 at 11:53 -0500, James Antill wrote:
>  As some of you know, I have done patches to make GNUtar able to
> save/restore ACLs, SELinux context and generic user xattrs. I've
> recently had to fixup the ACL support for compatibility with star etc.,
> and for a couple of reasons that got me thinking about the SELinux
> support as well.
> 
>  I had originally decided that the SELinux security context should be
> stored in translated form, Ie. getfilecon => tar => setfilecon, my
> thinking was that if you want to store something over a long period this
> is the better format ... but as I think more about it now I'm not 100%
> convinced (for instance, AIUI ipsec etc. uses raw format to distribute
> context between machines).
>  With the current changes, this is a great time to change it (but I
> really, really, don't want to have an option either way) ... if we want
> to. So should I change it to non-translated?

The translated form has more semantic meaning, and thus seems better for
archival.  On the ipsec side, I think Tresys is working on extensions to
racoon to support label translation for a different purpose - supporting
different policy realms that may require mappings between labels.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Tar storage of SELinux context, translated or not

[Casey Schaufler]

--- James Antill <jantill@redhat.com> wrote:


>  I had originally decided that the SELinux security
> context should be
> stored in translated form, Ie. getfilecon => tar =>
> setfilecon, my
> thinking was that if you want to store something
> over a long period this
> is the better format ... but as I think more about
> it now I'm not 100%
> convinced (for instance, AIUI ipsec etc. uses raw
> format to distribute
> context between machines).
>  With the current changes, this is a great time to
> change it (but I
> really, really, don't want to have an option either
> way) ... if we want
> to. So should I change it to non-translated?

Since it is possible that the two make get out
of sync as policy development progresses it
might make the most sense to keep both and
provide for the user to select one of:
   - use the raw, ignore the translated
   - use the translated, ignore the raw
   - use the either, but only if the current
     system would translate the stored raw
     into the stored translated

The MLS systems that I worked on always saved
the "human readable" labels. The 1990's POSIX
group always assumed that export/import
utilities would use human friendly values.
Personally, I think you should stick with the
translated values, as they are most likely
to remain meaningfull over time.
 

Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.