From: Matthew Thode <mthode@mthode.org>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: selinux on zfs(onlinux)
Date: Fri, 07 Jun 2013 14:37:37 -0500 [thread overview]
Message-ID: <51B23681.8070508@mthode.org> (raw)
In-Reply-To: <51B214EF.5090609@tycho.nsa.gov>
[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]
On 06/07/2013 12:14 PM, Stephen Smalley wrote:
> On 06/07/2013 01:07 PM, Stephen Smalley wrote:
>> On 06/06/2013 08:14 PM, Matthew Thode wrote:
>>> zfs is very close to usable as a root file-system with selinux, but is
>>> just missing one thing, it doesn't know what to set the root context to
>>> on mount.
>>>
>>> I am going to petition for this to be added as a property, but should it
>>> be called rootcontext (want to make sure it's valid).
>>>
>>> system_u:object_r:fs_t is what I used just to get my system working
>>> (including stuff like /usr, but meh).
>>>
>>>
>>> here is the upstream bug if curious
>>> https://github.com/zfsonlinux/zfs/issues/1504
>>
>> The mount options interpreted by SELinux are:
>> 1. context= (treat all inodes in the filesystem as if they had the
>> specified security context regardless of any on-disk extended attribute
>> value),
>>
>> 2. fscontext= (treat the filesystem/superblock as if it had the
>> specified security context, used in certain permission checks affecting
>> filesystem operations like mount and umount),
>>
>> 3. rootcontext= (treat the root inode in the filesystem as if it had the
>> specified security context but the normal behavior for the rest, useful
>> for assigning an initial context to a root directory of e.g. a tmpfs
>> mount), and
>>
>> 4. defcontext= (treat any file that lacks an extended attribute as if it
>> had the specified security context).
>>
>> The context you specified is a fscontext (fs_t), not one normally used
>> for inodes. But I'm not sure which one you meant to use or whether you
>> ultimately ought to support them all.
>
> Possibly a simpler method would be to just pass through any mount
> options unknown to zfs to the kernel to allow interpretation and use by
> the vfs and/or security modules. That would also allow use with other
> security modules.
>
>
ya, this is probably a better option. I do think that rootcontext
matches closest though, but am confused as to how it is different then
fscontext. I will suggest a more generic option though, thanks :D
--
-- Matthew Thode
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2013-06-07 19:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-07 0:14 selinux on zfs(onlinux) Matthew Thode
2013-06-07 0:56 ` Patrick K., ITF
2013-06-07 2:24 ` Matthew Thode
2013-06-07 10:38 ` Patrick K., ITF
2013-06-07 13:48 ` Patrick K., ITF
2013-06-07 17:07 ` Stephen Smalley
2013-06-07 17:14 ` Stephen Smalley
2013-06-07 19:37 ` Matthew Thode [this message]
2013-06-10 12:18 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51B23681.8070508@mthode.org \
--to=mthode@mthode.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.