cifs_t

cifs_t

[Russell Coker]

typealias sambafs_t alias cifs_t;

What is the benefit of the above?

If we are going to make cifs_t the new name for what is currently sambafs_t 
then surely the correct thing to do is to change the declaration of sambafs_t 
to cifs_t and use the following typealias:

typealias cifs_t alias sambafs_t;

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cifs_t

[Luke Kenneth Casson Leighton]

CIFS is the protocol (common internet file system).
also known as SMB (server message block).

there are two open source CIFS server projects currently available.

three.

1) cliffs - an experimental project where the majority of the network
   traffic is parsed with some auto-generated code.

2) samba - the original open source smb server.

3) samba-tng - a fork of 2) which splits the incredible number of
   protocols implemented in samba out into separate services.

so yes, like postfix+exim+sendmail+etc all implement SMTP,
it'd be good to have a cifs_t type recognising the use of ports
445 and 139 (not counting 135 for dce/rpc portmapping, not counting
137 for WINS / Network Neighbourhood, not counting 138 for the
NetBIOS-equivalent of UDP traffic... i _did_ say there were a 
lot of protocols implemented in samba didn't i :)

l.

On Mon, Jul 05, 2004 at 11:52:53PM +1000, Russell Coker wrote:
> typealias sambafs_t alias cifs_t;
> 
> What is the benefit of the above?
> 
> If we are going to make cifs_t the new name for what is currently sambafs_t 
> then surely the correct thing to do is to change the declaration of sambafs_t 
> to cifs_t and use the following typealias:
> 
> typealias cifs_t alias sambafs_t;
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cifs_t

[Stephen Smalley]

On Mon, 2004-07-05 at 09:52, Russell Coker wrote:
> typealias sambafs_t alias cifs_t;
> 
> What is the benefit of the above?
> 
> If we are going to make cifs_t the new name for what is currently sambafs_t 
> then surely the correct thing to do is to change the declaration of sambafs_t 
> to cifs_t and use the following typealias:
> 
> typealias cifs_t alias sambafs_t;

Looking at the CVS tree, it appears that it was changed from cifs_t to
sambafs_t on 5/4/2004, as part of a merge of a policy diff from Fedora. 
cifs_t was retained as an alias for compatibility, IIRC.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cifs_t

[Luke Kenneth Casson Leighton]

On Wed, Jul 07, 2004 at 02:18:12PM -0400, Stephen Smalley wrote:
> On Mon, 2004-07-05 at 09:52, Russell Coker wrote:
> > typealias sambafs_t alias cifs_t;
> > 
> > What is the benefit of the above?
> > 
> > If we are going to make cifs_t the new name for what is currently sambafs_t 
> > then surely the correct thing to do is to change the declaration of sambafs_t 
> > to cifs_t and use the following typealias:
> > 
> > typealias cifs_t alias sambafs_t;
> 
> Looking at the CVS tree, it appears that it was changed from cifs_t to
> sambafs_t on 5/4/2004, as part of a merge of a policy diff from Fedora. 
> cifs_t was retained as an alias for compatibility, IIRC.
 
 i understand from russell that cifs_t (sambafs_t) is for client-side
 access auditing (not from server-side stuff as i originally assumed).

 ... what happens when wine, which is in the process of implementing its
 own [entire] smb client access method, due to license incompatibility
 [and intransigence] of samba [team], provides an alternative
 non-samba-based SMB access system?

 ... or is that something to worry about for another day, as-and-when?

 l.

-- 
-- 
Information I post is with honesty, integrity, and the expectation that
you will take full responsibility if acting on the information contained,
and that, should you find it to be flawed or even mildly useful, you
will act with both honesty and integrity in return - and tell me.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cifs_t

[Russell Coker]

On Thu, 8 Jul 2004 04:18, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> Looking at the CVS tree, it appears that it was changed from cifs_t to
> sambafs_t on 5/4/2004, as part of a merge of a policy diff from Fedora.
> cifs_t was retained as an alias for compatibility, IIRC.

It seems that this was a mistake.

In 2.6.7 the kernel module is cifs.ko, the /proc/filesystems entry is cifs, 
and there is no mention of sambafs.  The correct thing to do is to make 
cifs_t the type name and sambafs_t the alias.

The next thing we should do is think about when we will remove the old 
aliases.  I suggest that every typealias that is in the Fedora Core 2 policy 
can be removed before FC3 without hurting anyone.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.