Re: SELinux compatible with XFS?

Re: SELinux compatible with XFS?

[Howard Holm]

A labeled file system is necessary to do anything usefull with
SELinux.  We have not currently done any work to provide labels in
XFS.  Echoing Stephen Smalley's note to Mark Lucas on Friday about
ReiserFS, we provide general support for all file systems for mapping
persistent security identifiers (PSIDs) to security contexts in
fs/psid.c, so each file system type only needs to implement support for
binding a PSID to each on-disk inode.  With ext2, we were able to use
an unused field in the on-disk inode to store the PSID.

While I'm not completely familiar with XFS, my understanding is that
one of its advantages is that it stores extended attributes with the
files.  So, it should, hopefully, be relatively easy to add a PSID to the
extended file attributes.  That said, it isn't one of NSA's priorities
to add that support.  If someone else wants it enough to do the work,
we'd certainly like to see the results made available.

K Mitchell Russell writes: 
>
> Is the SELinux patch for 2.4.2 kernel usable with an existing Linux
> (SGI) XFS filesystem?  Or does it require the ext2 filesystem for
> labelling.  Just thought I would check with other's experiences before
> embarking down this tortuous path.

--
Howard Holm <hdholm@epoch.ncsc.mil>
Information Assurance Research Office
National Security Agency

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux compatible with XFS?

[Jose Nazario]

On Mon, 19 Mar 2001, Howard Holm wrote:

> While I'm not completely familiar with XFS, my understanding is that
> one of its advantages is that it stores extended attributes with the
> files.  So, it should, hopefully, be relatively easy to add a PSID to
> the extended file attributes.  That said, it isn't one of NSA's
> priorities to add that support.  If someone else wants it enough to do
> the work, we'd certainly like to see the results made available.

i'd like to chime in with some notes from the field and some links.

first up, we've just migrated *away* from XFS on some early 2.4 kernels on
out local LUG server, lockups and IO problems were just too great. that is
to say that this may have been fixed in recent releases of the 2.4 kernel
and the XFS source. i hope so, we would hover around 8 hours of uptime on
a busy server.

however, Linus is not happy to import large chunks of code into the
kernel, which will probably slow the adoption of XFS in Linux. also, they
recently officialy merged Reiser in, albeit you have to request
experimental code.

but, having been using XFS on IRIX for many, many years, i can say it's
one high performance filesystem. and yes, it does have extended attributes
on Linux, like MACLs and such. very nice, indeed. hence, with whatever
little weight i have here (i don't code stuff for you guys, for example),
i would like to vote for XFS in SELinux over other filesystems. i know
that SGI could use the help, and i know that the features of XFS would be
well utilized in SELinux.

some papers on XFS have appeared, and are available in large measure at:

	http://linux-xfs.sgi.com/projects/xfs/publications.html

later,

____________________________
jose nazario						     jose@cwru.edu
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux compatible with XFS?

[Michael Tiemann]

We've been doing extensive testing of the 2.4 kernel, and there are all 
sorts of exciting ways in which it can corrupt _any_ filesystem (it's one 
reason we haven't released a 2.4-based product ;-).  We're working hard 
with others to fix those problems.  I wouldn't blame XFS just yet.

M

Jose Nazario wrote:

> On Mon, 19 Mar 2001, Howard Holm wrote:
> 
> 
>> While I'm not completely familiar with XFS, my understanding is that
>> one of its advantages is that it stores extended attributes with the
>> files.  So, it should, hopefully, be relatively easy to add a PSID to
>> the extended file attributes.  That said, it isn't one of NSA's
>> priorities to add that support.  If someone else wants it enough to do
>> the work, we'd certainly like to see the results made available.
> 
> 
> i'd like to chime in with some notes from the field and some links.
> 
> first up, we've just migrated *away* from XFS on some early 2.4 kernels on
> out local LUG server, lockups and IO problems were just too great. that is
> to say that this may have been fixed in recent releases of the 2.4 kernel
> and the XFS source. i hope so, we would hover around 8 hours of uptime on
> a busy server.
> 
> however, Linus is not happy to import large chunks of code into the
> kernel, which will probably slow the adoption of XFS in Linux. also, they
> recently officialy merged Reiser in, albeit you have to request
> experimental code.
> 
> but, having been using XFS on IRIX for many, many years, i can say it's
> one high performance filesystem. and yes, it does have extended attributes
> on Linux, like MACLs and such. very nice, indeed. hence, with whatever
> little weight i have here (i don't code stuff for you guys, for example),
> i would like to vote for XFS in SELinux over other filesystems. i know
> that SGI could use the help, and i know that the features of XFS would be
> well utilized in SELinux.
> 
> some papers on XFS have appeared, and are available in large measure at:
> 
> 	http://linux-xfs.sgi.com/projects/xfs/publications.html
> 
> later,
> 
> ____________________________
> jose nazario						     jose@cwru.edu
> 	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
> 				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
> 
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux compatible with XFS?

[Florin Andrei]

On 19 Mar 2001 11:45:23 -0500, Howard Holm wrote:
> 
> While I'm not completely familiar with XFS, my understanding is that
> one of its advantages is that it stores extended attributes with the
> files.  So, it should, hopefully, be relatively easy to add a PSID to the
> extended file attributes.  That said, it isn't one of NSA's priorities
> to add that support.  If someone else wants it enough to do the work,
> we'd certainly like to see the results made available.

So, i suppose the same is true for SELinux and ReiserFS, right?

It would be nice to have journaling FS with SELinux... ;-)

-- 
Florin Andrei


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

SELinux compatible with XFS?

[K Mitchell Russell]

Colleagues,

Is the SELinux patch for 2.4.2 kernel usable with an existing Linux
(SGI) XFS filesystem?  Or does it require the ext2 filesystem for
labelling.  Just thought I would check with other's experiences before
embarking down this tortuous path.

Many thanks,

K. Mitchell Russell, M.D.
kmrussel@hsc.vcu.edu
MedITAC Research Lab
www.meditac.com


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.