From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with SMTP id l7FGUi2r021461 for ; Wed, 15 Aug 2007 12:30:44 -0400 Received: from web36611.mail.mud.yahoo.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with SMTP id l7FGUheN016384 for ; Wed, 15 Aug 2007 16:30:43 GMT Date: Wed, 15 Aug 2007 09:30:42 -0700 (PDT) From: Casey Schaufler Reply-To: casey@schaufler-ca.com Subject: Re: [PATCH 00/16] Permit filesystem local caching [try #3] To: Stephen Smalley , casey@schaufler-ca.com Cc: David Howells , torvalds@osdl.org, akpm@osdl.org, steved@redhat.com, trond.myklebust@fys.uio.no, linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com, nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, LSM List In-Reply-To: <1187113368.26008.226.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Message-ID: <18318.47287.qm@web36611.mail.mud.yahoo.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --- Stephen Smalley wrote: > On Tue, 2007-08-14 at 08:53 -0700, Casey Schaufler wrote: > > --- David Howells wrote: > > > > > Casey Schaufler wrote: > > > > > > > With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE, > > > > do your business of setting the label correctly, and then drop > > > > the capability. No new hooks required. > > > > > > That sounds like a contradiction. How can you both leave it alone and > set > > > it? > > > > Whoops, sorry. You leave the process label alone and explicitly > > set the file label using the xattr interfaces. > > xattr interfaces don't help with the initial labeling of the file when > it is created. That's true. The deamon needs to run with an appropriate label. I don't believe that this is situation with a really simple solution because the activity being performed is unusual. > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > > Casey Schaufler casey@schaufler-ca.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933055AbXHOQbe (ORCPT ); Wed, 15 Aug 2007 12:31:34 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S933180AbXHOQaq (ORCPT ); Wed, 15 Aug 2007 12:30:46 -0400 Received: from web36611.mail.mud.yahoo.com ([209.191.85.28]:38195 "HELO web36611.mail.mud.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S933166AbXHOQao (ORCPT ); Wed, 15 Aug 2007 12:30:44 -0400 X-YMail-OSG: pAJlxpEVM1ng9Qb0IC7alYni1XFI.LGrybYuBDzwtabBdz60DTOcqbOJSkd5_XT1fTVrCKPoZw-- X-RocketYMMF: rancidfat Date: Wed, 15 Aug 2007 09:30:42 -0700 (PDT) From: Casey Schaufler Reply-To: casey@schaufler-ca.com Subject: Re: [PATCH 00/16] Permit filesystem local caching [try #3] To: Stephen Smalley , casey@schaufler-ca.com Cc: David Howells , torvalds@osdl.org, akpm@osdl.org, steved@redhat.com, trond.myklebust@fys.uio.no, linux-fsdevel@vger.kernel.org, linux-cachefs@redhat.com, nfsv4@linux-nfs.org, linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov, LSM List In-Reply-To: <1187113368.26008.226.camel@moss-spartans.epoch.ncsc.mil> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Message-ID: <18318.47287.qm@web36611.mail.mud.yahoo.com> Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org --- Stephen Smalley wrote: > On Tue, 2007-08-14 at 08:53 -0700, Casey Schaufler wrote: > > --- David Howells wrote: > > > > > Casey Schaufler wrote: > > > > > > > With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE, > > > > do your business of setting the label correctly, and then drop > > > > the capability. No new hooks required. > > > > > > That sounds like a contradiction. How can you both leave it alone and > set > > > it? > > > > Whoops, sorry. You leave the process label alone and explicitly > > set the file label using the xattr interfaces. > > xattr interfaces don't help with the initial labeling of the file when > it is created. That's true. The deamon needs to run with an appropriate label. I don't believe that this is situation with a really simple solution because the activity being performed is unusual. > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > > Casey Schaufler casey@schaufler-ca.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: Casey Schaufler Subject: Re: [PATCH 00/16] Permit filesystem local caching [try #3] Date: Wed, 15 Aug 2007 09:30:42 -0700 (PDT) Message-ID: <18318.47287.qm@web36611.mail.mud.yahoo.com> References: <1187113368.26008.226.camel@moss-spartans.epoch.ncsc.mil> Reply-To: casey@schaufler-ca.com, Linux filesystem caching discussion list Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: akpm@osdl.org, LSM List , linux-kernel@vger.kernel.org, nfsv4@linux-nfs.org, trond.myklebust@fys.uio.no, torvalds@osdl.org, linux-cachefs@redhat.com, selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org To: Stephen Smalley , casey@schaufler-ca.com Return-path: In-Reply-To: <1187113368.26008.226.camel@moss-spartans.epoch.ncsc.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cachefs-bounces@redhat.com Errors-To: linux-cachefs-bounces@redhat.com List-Id: linux-fsdevel.vger.kernel.org --- Stephen Smalley wrote: > On Tue, 2007-08-14 at 08:53 -0700, Casey Schaufler wrote: > > --- David Howells wrote: > >=20 > > > Casey Schaufler wrote: > > >=20 > > > > With Smack you can leave the label alone, raise CAP_MAC_OVERRIDE, > > > > do your business of setting the label correctly, and then drop > > > > the capability. No new hooks required. > > >=20 > > > That sounds like a contradiction. How can you both leave it alone = and > set > > > it? > >=20 > > Whoops, sorry. You leave the process label alone and explicitly > > set the file label using the xattr interfaces. >=20 > xattr interfaces don't help with the initial labeling of the file when > it is created. That's true. The deamon needs to run with an appropriate label. I don't believe that this is situation with a really simple solution because the activity being performed is unusual.=20 =20 > --=20 > Stephen Smalley > National Security Agency >=20 >=20 > -- > This message was distributed to subscribers of the selinux mailing list= . > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.go= v with > the words "unsubscribe selinux" without quotes as the message. >=20 >=20 >=20 Casey Schaufler casey@schaufler-ca.com